yxss-filter

Yii Framework Extensions

Createnew extension

Popular Tags

yxss-filter Use Kohana regexp to sanitize all user input

Documentation
Change Log

This extension is sanitize all user input

Resources ¶

Documentation ¶

Requirements

* Yii 1.0 or above

Installation

* Extract the release file under protected/filters

Usage

Add the following code to your controller.

 public function filters()
 {
            return array(
                    array(
                          'application.filters.YXssFilter',
                          'clean'   => '*',
                          'tags'    => 'strict',
                          'actions' => 'all'
                    )
            );

 }

Change Log ¶

September 10, 2009 ¶

Initial release.

5 1

6 followers

1 144 downloads

Yii Version: 1.1

License: BSD-2-Clause

Category: Security

Tags:

Developed by: xomaa

Created on: Sep 10, 2009

Last updated: 14 years ago

Downloads

YXssFilter.zip

show all

User Contributed Notes 5

#950

0 0

Thanks!

Thanks a lot for this filter!
It's very useful. "must have"

someone at Jan 22, 2010, 7:35:26 AM

#1316

0 0

Great work!

Great work, Andrew!

Bethrezen at Sep 16, 2009, 2:40:45 PM

#3224

0 0

VERY helpful

I put this in my base-controller class from which all other controllers extend. Simple. Now my entire app is protected. From reading the docs for CHtmlPurifier, which does the same thing, it appeared that component performs poorly. So far haven't noticed any performance impact using YXssFilter.

jeremy at Mar 26, 2011, 8:43:05 PM

#4029

0 0

problem using < comparison operator in filters and searches

I still like this extension very much. But if one filters all input types (GET, POST, etc) and all actions, then comparison operations beginning with < do not work. In STRICT mode, PHP strip_tags treats anything starting with < as a tag, and strips to the next whitespace. In SOFT mode, < is changed into < which does not match the regex in CDbCriteria.compare().

My solution was to add logic to preFilter(), to not filter data coming from the 'Admin' action:

if($this->actions != '*' && $this->actions != 'ALL' && !in_array($filterChain->action->id,explode(',',$this->actions)))
{
    return true;
}

// + JJD
if (strtolower($filterChain->action->id) == 'admin')
    return true;

This seems like an acceptable compromise to allow use of comparison operators in filters, and still keeps security in the rest of the app.

jeremy at May 30, 2011, 7:45:56 PM

#9929

2 0

Either use the best or none at all

This falls into the same category antiviruses do. If it can't protect you 99.99% don't use it at all. It will only give you the illusion of safety. Yii builtin purifier uses http://htmlpurifier.org/ which is by far the best. Yes it's heavy, but if used correctly and only when it's actually needed it's excellent. And of course, it's up to you to keep this piece of code always up to date.

Common good practices;
Purify content that is to be rendered as html and may come from an unsafe source (a user. Your website admin has nothing really to gain. In most cases ;))

For any numerical inputs, just cast them (int)$myOption. For textboxes, max length can be a huge time savier. For text areas coming from outside... purify :)

That's pretty much all you need to keep your site XSS safe.

Elecen at Sep 23, 2012, 4:50:12 PM

Categories