Yii2 XSS attack prevention strategy analysis_php example

This article describes the XSS attack prevention strategy of Yii2 with examples. Share it with everyone for your reference, the details are as follows:

XSS vulnerability fix

Principle: Do not trust the data entered by the customer
Note: The attack code is not necessarily in 3f1c4e4b6b16bbbd69b2ee476dc4f83a2cacc6d41bbb37262a98f745aa00fbf0

① Mark important cookies as http only, so that the document.cookie statement in Javascript cannot obtain the cookie.
② Only allow users to enter the data we expect. For example: In the age textbox, users are only allowed to enter numbers. Characters other than numbers are filtered out.
③ Perform Html Encode processing on data
④ Filter or remove special Html tags, such as: script, iframe, f7142607ca3bcca4ac1473eda942a5a5 for >, " for
⑤ Filter JavaScript event tags. For example "onclick=", "onfocus" etc.

XSS prevention in Yii

<&#63;php echo CHtml::encode($user->name) &#63;>

Source code of this method:

/**
* Encodes special characters into HTML entities.
* The [[\yii\base\Application::charset|application charset]] will be used for encoding.
* @param string $content the content to be encoded
* @param boolean $doubleEncode whether to encode HTML entities in `$content`. If false,
* HTML entities in `$content` will not be further encoded.
* @return string the encoded content
* @see decode()
* @see http://www.php.net/manual/en/function.htmlspecialchars.php
*/
public static function encode($content, $doubleEncode = true)
{
  return htmlspecialchars($content, ENT_QUOTES | ENT_SUBSTITUTE, Yii::$app->charset, $doubleEncode);
}

The difference between htmlspecialchars & htmlentities & urlencode:

http://php.net/manual/zh/function.htmlspecialchars.php
http://php.net/manual/zh/function.htmlentities.php
http://cn2.php.net/manual/zh/function.urlencode.php

Available flags constants
Constant Name Description
ENT_COMPAT Will convert double-quotes and leave single-quotes alone.
ENT_QUOTES Will convert both double and single quotes.
ENT_NOQUOTES Will leave both double and single quotes unconverted.
ENT_IGNORE Silently discard invalid code unit sequences instead of returning an empty string. Using this flag is discouraged as it » may have security implications.
ENT_SUBSTITUTE Replace invalid code unit sequences with a Unicode Replacement Character U+FFFD (UTF-8) or FFFD; (otherwise) instead of returning an empty string.
ENT_DISALLOWED Replace invalid code points for the given document type with a Unicode Replacement Character U+FFFD (UTF-8) or FFFD; (otherwise) instead of leaving them as is. This may be useful, for instance, to ensure the well -formedness of XML documents with embedded external content.
ENT_HTML401 Handle code as HTML 4.01.
ENT_XML1 Handle code as XML 1.
ENT_XHTML Handle code as XHTML.
ENT_HTML5 Handle code as HTML 5.

htmlspecialchars

Convert special characters to HTML entities

string htmlspecialchars ( 
      string $string 
      [, int $flags = ENT_COMPAT | ENT_HTML401 
      [, string $encoding = ini_get("default_charset") 
      [, bool $double_encode = true ]
    ]
  ] 
)

The translations performed are:

& (ampersand) becomes &
" (double quote) becomes " when ENT_NOQUOTES is not set.
' (single quote) becomes ' (or ') only when ENT_QUOTES is set.
fa866c30ec3d03426d526c30108046a4 (greater than) becomes >

<&#63;php
$new = htmlspecialchars("<a href='test'>Test</a>", ENT_QUOTES);
echo $new; // <a href=&#039;test&#039;>Test</a>
&#63;>

htmlentities

Convert all applicable characters to HTML entities

string htmlentities ( 
      string $string 
      [, int $flags = ENT_COMPAT | ENT_HTML401 
      [, string $encoding = ini_get("default_charset") 
      [, bool $double_encode = true ]
    ]
  ] 
)

<&#63;php
$str = "A 'quote' is <b>bold</b>";
// Outputs: A 'quote' is <b>bold</b>
echo htmlentities($str);
// Outputs: A &#039;quote&#039; is <b>bold</b>
echo htmlentities($str, ENT_QUOTES);
&#63;>

urlencode

URL encoding is to comply with URL specifications. Because in the standard URL specification, Chinese and many characters are not allowed to appear in the URL.

For example, search for "test Chinese characters" in Baidu. The URL will become
http://www.baidu.com/s?wd=%B2%E2%CA%D4%BA%BA%D7%D6&rsv_bp=0&rsv_spt=3&inputT=7477

The so-called URL encoding is: All non-alphanumeric characters will be replaced with a percent sign (%) followed by two hexadecimal digits, and spaces will be encoded as plus signs (+)
All non-alphanumeric characters in this string except -_. are replaced with a percent sign (%) followed by two hexadecimal digits, and spaces are encoded as plus signs (+). This encoding is the same as the encoding of WWW form POST data, and the same encoding as the application/x-www-form-urlencoded media type. For historical reasons, this encoding differs from the RFC1738 encoding (see rawurlencode()) in encoding spaces as plus signs (+).

<&#63;php
echo '<a href="mycgi&#63;foo=', urlencode($userinput), '">';
&#63;>

<&#63;php
$query_string = 'foo=' . urlencode($foo) . '&bar=' . urlencode($bar);
echo '<a href="mycgi&#63;' . htmlentities($query_string) . '">';
&#63;>

Readers who are interested in more Yii-related content can check out the special topics of this site: "Introduction to Yii Framework and Summary of Common Techniques", "Summary of Excellent Development Framework of PHP", "Basic Tutorial for Getting Started with Smarty Templates", "Introduction to PHP Object-Oriented Programming" Tutorial", "php string (string) usage summary", "php+mysql database operation introductory tutorial" and "php common database operation skills summary"

I hope this article will help you design PHP programs based on the Yii framework.