Method analysis of Yii2's XSS attack prevention strategy

This article mainly introduces the XSS attack prevention strategy of Yii2. It analyzes the principle of XSS attack and the corresponding prevention strategy of Yii2 in more detail. Friends in need can refer to it.

This article describes the example of Yii2 XSS attack prevention strategies. Share it with everyone for your reference, the details are as follows:

XSS vulnerability repair

Principle: Do not believe the data entered by the customer
Note: The attack code is not necessarily in < ;script>

① Mark important cookies as http only, so that the document.cookie statement in Javascript cannot obtain the cookie.
② Only allow users to enter us expected data. For example: In the age textbox, users are only allowed to enter numbers. Characters other than numbers are filtered out.
③ Html Encode processing of data
④ Filter or remove special Html tags, such as: script, iframe, < for <, > for >, " for
⑤ Filter JavaScript events Tag of. For example "onclick=", "onfocus" etc.

XSS prevention in Yii

<?php echo CHtml::encode($user->name) ?>

Source code of this method:

/**
* Encodes special characters into HTML entities.
* The [[\yii\base\Application::charset|application charset]] will be used for encoding.
* @param string $content the content to be encoded
* @param boolean $doubleEncode whether to encode HTML entities in `$content`. If false,
* HTML entities in `$content` will not be further encoded.
* @return string the encoded content
* @see decode()
* @see http://www.php.net/manual/en/function.htmlspecialchars.php
*/
public static function encode($content, $doubleEncode = true)
{
  return htmlspecialchars($content, ENT_QUOTES | ENT_SUBSTITUTE, Yii::$app->charset, $doubleEncode);
}

htmlspecialchars & htmlentities & urlencode The difference between the three:

http://php.net/manual/zh/function.htmlspecialchars.php
http:// php.net/manual/zh/function.htmlentities.php
http://cn2.php.net/manual/zh/function.urlencode.php

Available flags constants
Constant Name Description
ENT_COMPAT Will convert double-quotes and leave single-quotes alone.
ENT_QUOTES Will convert both double and single quotes.
ENT_NOQUOTES Will leave both double and single quotes unconverted.
ENT_IGNORE Silently discard invalid code unit sequences instead of returning an empty string. Using this flag is discouraged as it » may have security implications.
ENT_SUBSTITUTE Replace invalid code unit sequences with a Unicode Replacement Character U FFFD (UTF-8) or FFFD; (otherwise) instead of returning an empty string.
ENT_DISALLOWED Replace invalid code points for the given document type with a Unicode Replacement Character U FFFD (UTF-8) or FFFD; (otherwise) instead of leaving them as is. This may be useful, for instance , to ensure the well-formedness of XML documents with embedded external content.
ENT_HTML401 Handle code as HTML 4.01.
ENT_XML1 Handle code as XML 1.
ENT_XHTML Handle code as XHTML.
ENT_HTML5 Handle code as HTML 5.

htmlspecialchars

Convert special characters to HTML entities

string htmlspecialchars ( 
      string $string 
      [, int $flags = ENT_COMPAT | ENT_HTML401 
      [, string $encoding = ini_get("default_charset") 
      [, bool $double_encode = true ]
    ]
  ] 
)

The translations performed are:

& (ampersand) becomes &
" (double quote) becomes " when ENT_NOQUOTES is not set.
' (single quote) becomes ' (or ') only when ENT_QUOTES is set .
< (less than) becomes <
> (greater than) becomes >

<?php
$new = htmlspecialchars("<a href=&#39;test&#39;>Test</a>", ENT_QUOTES);
echo $new; // <a href=&#39;test&#39;>Test</a>
?>

htmlentities

Convert all applicable characters to HTML entities

string htmlentities ( 
      string $string 
      [, int $flags = ENT_COMPAT | ENT_HTML401 
      [, string $encoding = ini_get("default_charset") 
      [, bool $double_encode = true ]
    ]
  ] 
)

##

<?php
$str = "A &#39;quote&#39; is <b>bold</b>";
// Outputs: A &#39;quote&#39; is <b>bold</b>
echo htmlentities($str);
// Outputs: A &#39;quote&#39; is <b>bold</b>
echo htmlentities($str, ENT_QUOTES);
?>

urlencode

URL encoding is to comply with the URL specification. Because in the standard URL specification, Chinese and many characters are not allowed to appear in the URL.

For example, search for "test Chinese characters" in Baidu. The URL will become

http://www.baidu.com/s?wd=���պ���&rsv_bp=0&rsv_spt=3&inputT=7477

The so-called URL encoding is: put all non-letters Numeric characters will be replaced with a percent sign (%) followed by two hexadecimal digits, and spaces will be encoded as plus signs ( )

All non-alphanumeric characters in this string except -_. Will be replaced with a percent sign (%) followed by two hexadecimal digits, and spaces are encoded as plus signs ( ). This encoding is the same as the encoding of WWW form POST data, and the same encoding as the application/x-www-form-urlencoded media type. For historical reasons, this encoding differs from the RFC1738 encoding (see rawurlencode()) in encoding spaces as plus signs ( ).

<?php
echo &#39;<a href="mycgi?foo=&#39;, urlencode($userinput), &#39;">&#39;;
?>

<?php
$query_string = &#39;foo=&#39; . urlencode($foo) . &#39;&bar=&#39; . urlencode($bar);
echo &#39;<a href="mycgi?&#39; . htmlentities($query_string) . &#39;">&#39;;
?>

The above is the entire content of this article, I hope it will help everyone learn Helpful, please pay attention to the PHP Chinese website for more related content!

Related recommendations:

How to implement Yii cache cleanup

How to deal with routing links being forwarded in Yii2.0 Basic code righteous

The above is the detailed content of Method analysis of Yii2's XSS attack prevention strategy. For more information, please follow other related articles on the PHP Chinese website!