This article describes the XSS attack prevention strategy of Yii2 with examples. Share it with everyone for your reference, the details are as follows:
XSS vulnerability repair
Principle: Do not trust the data entered by the customer
Note: The attack code is not necessarily in <script></script>
① Change important cookies Marked as http only, in this case, the document.cookie statement in Javascript cannot obtain the cookie.
② Only allow users to enter the data we expect. For example: In the age textbox, users are only allowed to enter numbers. Characters other than numbers are filtered out.
③ Html Encode processing of data
④ Filter or remove special Html tags, such as: script, iframe, for >, " for
⑤ Filter JavaScript event tags. For example, "onclick = "," Onfocus "and so on .
XSS prevention
<?php echo CHtml::encode($user->name) ?>
The source code of this method:
/**
* Encodes special characters into HTML entities.
* The [[\yii\base\Application::charset|application charset]] will be used for encoding.
* @param string $content the content to be encoded
* @param boolean $doubleEncode whether to encode HTML entities in `$content`. If false,
* HTML entities in `$content` will not be further encoded.
* @return string the encoded content
* @see decode()
* @see http://www.php.net/manual/en/function.htmlspecialchars.php
*/
public static function encode($content, $doubleEncode = true)
{
return htmlspecialchars($content, ENT_QUOTES | ENT_SUBSTITUTE, Yii::$app->charset, $doubleEncode);
}
HtmlSpecialchars & HTMLETIES & UrLenCode:
Http:// /php.net/manual/zh/function.htmlspecialchars.php
http://php.net/manual/zh/function.htmlentities.php
Available flags constants
Constant Name Description
ENT_COMPAT Will convert double-quotes and leave single-quotes alone.
ENT_QUOTES Will convert both double and single quotes.
ENT_NOQUOTES Will leave both double and single quotes unconverted.
ENT_IGNORE Silently discard invalid code unit sequences instead of returning an empty string. Using this flag is discouraged as it » may have security implications.
ENT_SUBSTITUTE Replace invalid code unit sequences with a Unicode Replacement Character U+FFFD (UTF-8) or FFFD; ( otherwise) instead of returning an empty string.
ENT_DISALLOWED Replace invalid code points for the given document type with a Unicode Replacement Character U+FFFD (UTF-8) or FFFD; (otherwise) instead of leaving them as is. This may be useful, for instance, to ensure the well-formedness of XML documents with embedded external content.
ENT_HTML401 Handle code as HTML 4.01.
ENT_XML1 Handle code as XML 1.
ENT_XHTML Handle code as XHTML.
string htmlspecialchars (
string $string
[, int $flags = ENT_COMPAT | ENT_HTML401
[, string $encoding = ini_get("default_charset")
[, bool $double_encode = true ]
]
]
)
The translations performed are:
& (ampersand) becomes &
" (double quote) becomes " when ENT_NOQUOTES is not set.
' (single quote) becomes ' (or ') only when ENT_QUOTES is set.
> (greater than) becomes >
<?php
$new = htmlspecialchars("<a href='test'>Test</a>", ENT_QUOTES);
echo $new; // <a href='test'>Test</a>
?>
htmlentitiesConvert all applicable characters to HTML entitiesstring htmlentities (
string $string
[, int $flags = ENT_COMPAT | ENT_HTML401
[, string $encoding = ini_get("default_charset")
[, bool $double_encode = true ]
]
]
)<?php $str = "A 'quote' is <b>bold</b>"; // Outputs: A 'quote' is <b>bold</b> echo htmlentities($str); // Outputs: A 'quote' is <b>bold</b> echo htmlentities($str, ENT_QUOTES); ?>urlencodeURL encoding is to comply with the specification of the URL. Because in the standard URL specification, Chinese and many characters are not allowed to appear in the URL.
For example, search for "test Chinese characters" in Baidu. The URL will become
The so-called URL encoding is: Non-alphanumeric characters will be replaced with a percent sign (%) followed by two hexadecimal digits, and spaces are encoded as plus signs (+)
<?php echo '<a href="mycgi?foo=', urlencode($userinput), '">'; ?>
<?php $query_string = 'foo=' . urlencode($foo) . '&bar=' . urlencode($bar); echo '<a href="mycgi?' . htmlentities($query_string) . '">'; ?>I hope this article will be helpful to everyone’s PHP program design based on the Yii framework. For more articles related to Yii2’s XSS attack prevention strategy analysis, please pay attention to the PHP Chinese website! 🎜
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
SecLists
SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.
WebStorm Mac version
Useful JavaScript development tools
Atom editor mac version download
The most popular open source editor
EditPlus Chinese cracked version
Small size, syntax highlighting, does not support code prompt function
DVWA
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software
