Yii2 XSS attack prevention strategy analysis

This article describes the XSS attack prevention strategy of Yii2 with examples. Share it with everyone for your reference, the details are as follows:

XSS vulnerability repair

Principle: Do not trust the data entered by the customer
Note: The attack code is not necessarily in <script></script>

① Change important cookies Marked as http only, in this case, the document.cookie statement in Javascript cannot obtain the cookie.
② Only allow users to enter the data we expect. For example: In the age textbox, users are only allowed to enter numbers. Characters other than numbers are filtered out.
③ Html Encode processing of data
④ Filter or remove special Html tags, such as: script, iframe, < for <, > for >, " for
⑤ Filter JavaScript event tags. For example, "onclick = "," Onfocus "and so on .

XSS prevention

<?php echo CHtml::encode($user->name) ?>

The source code of this method:

/**
* Encodes special characters into HTML entities.
* The [[\yii\base\Application::charset|application charset]] will be used for encoding.
* @param string $content the content to be encoded
* @param boolean $doubleEncode whether to encode HTML entities in `$content`. If false,
* HTML entities in `$content` will not be further encoded.
* @return string the encoded content
* @see decode()
* @see http://www.php.net/manual/en/function.htmlspecialchars.php
*/
public static function encode($content, $doubleEncode = true)
{
  return htmlspecialchars($content, ENT_QUOTES | ENT_SUBSTITUTE, Yii::$app->charset, $doubleEncode);
}

HtmlSpecialchars & HTMLETIES & UrLenCode:

Http:// /php.net/manual/zh/function.htmlspecialchars.php
http://php.net/manual/zh/function.htmlentities.php

http://cn2.php.net/manual/zh/function.urlencode .php

Available flags constants
Constant Name Description
ENT_COMPAT Will convert double-quotes and leave single-quotes alone.
ENT_QUOTES Will convert both double and single quotes.
ENT_NOQUOTES Will leave both double and single quotes unconverted.
ENT_IGNORE Silently discard invalid code unit sequences instead of returning an empty string. Using this flag is discouraged as it » may have security implications.
ENT_SUBSTITUTE Replace invalid code unit sequences with a Unicode Replacement Character U+FFFD (UTF-8) or &#FFFD; ( otherwise) instead of returning an empty string.
ENT_DISALLOWED Replace invalid code points for the given document type with a Unicode Replacement Character U+FFFD (UTF-8) or &#FFFD; (otherwise) instead of leaving them as is. This may be useful, for instance, to ensure the well-formedness of XML documents with embedded external content.
ENT_HTML401 Handle code as HTML 4.01.
ENT_XML1 Handle code as XML 1.
ENT_XHTML Handle code as XHTML.

ENT_HTML5 Handle code as HTML 5 .

htmlspecialchars

Convert special characters to HTML entities

string htmlspecialchars (
      string $string
      [, int $flags = ENT_COMPAT | ENT_HTML401
      [, string $encoding = ini_get("default_charset")
      [, bool $double_encode = true ]
    ]
  ]
)

The translations performed are:

& (ampersand) becomes &
" (double quote) becomes " when ENT_NOQUOTES is not set.
' (single quote) becomes ' (or ') only when ENT_QUOTES is set.
< (less than) becomes <

> (greater than) becomes >

<?php
$new = htmlspecialchars("<a href=&#39;test&#39;>Test</a>", ENT_QUOTES);
echo $new; // <a href=&#39;test&#39;>Test</a>
?>

htmlentities

Convert all applicable characters to HTML entities

string htmlentities (
      string $string
      [, int $flags = ENT_COMPAT | ENT_HTML401
      [, string $encoding = ini_get("default_charset")
      [, bool $double_encode = true ]
    ]
  ]
)

<?php
$str = "A &#39;quote&#39; is <b>bold</b>";
// Outputs: A &#39;quote&#39; is <b>bold</b>
echo htmlentities($str);
// Outputs: A &#39;quote&#39; is <b>bold</b>
echo htmlentities($str, ENT_QUOTES);
?>

urlencode

URL encoding is to comply with the specification of the URL. Because in the standard URL specification, Chinese and many characters are not allowed to appear in the URL.

For example, search for "test Chinese characters" in Baidu. The URL will become

http://www.baidu.com/s?wd=%B2%E2%CA%D4%BA%BA%D7%D6&rsv_bp=0&rsv_spt=3&inputT=7477

The so-called URL encoding is: Non-alphanumeric characters will be replaced with a percent sign (%) followed by two hexadecimal digits, and spaces are encoded as plus signs (+)

All non-alphanumeric characters in this string except -_. All characters will be replaced with a percent sign (%) followed by two hexadecimal digits, and spaces will be encoded as a plus sign (+). This encoding is the same as the encoding of WWW form POST data, and the same encoding as the application/x-www-form-urlencoded media type. For historical reasons, this encoding differs from the RFC1738 encoding (see rawurlencode()) in encoding spaces as plus signs (+).

<?php
echo &#39;<a href="mycgi?foo=&#39;, urlencode($userinput), &#39;">&#39;;
?>

<?php
$query_string = &#39;foo=&#39; . urlencode($foo) . &#39;&bar=&#39; . urlencode($bar);
echo &#39;<a href="mycgi?&#39; . htmlentities($query_string) . &#39;">&#39;;
?>

I hope this article will be helpful to everyone’s PHP program design based on the Yii framework.

For more articles related to Yii2’s XSS attack prevention strategy analysis, please pay attention to the PHP Chinese website! 🎜