Defense against XSS in Zend Framework

13-02-2012 00:00 - Zdroj:
Zend Framework doesn't have its own templating system thus if you want to print some data then you need to escape them manually: echo $this->escape($this->userInput). Manual escaping is risky because it is very easy to forget about it, for example in this code: echo "Page #$this->num". If you don't know for sure that $this->num will be a number then this code is vulnerable to XSS. Another problem is that the default escaping function escapes only some characters with special meaning in HTML. So this code is vulnerable to XSS even if it manually escapes user data: <span title='<?php echo $this->escape($this->userInput); ?>'>Test</span>. The problematic character is ' which is valid for delimiting HTML attribute values but is not escaped by the default implementation of $this->escape(). So if a malicious user passes ' onmouseover='alert(/XSS/) then he just attacked our page. Zend Framework 2 Authors of Zend Framework were aware about this deficiency so they've provided a semi-automatic escaping in Zend Framework 2 (currently in beta). The biggest problem of their implementation is that they escape only some data – to quote the roadmap: Have all variables retrieved via __get() be escaped by default, and instead require developers to call a special method when they want the raw value. This will not help in all situations – return values from view variable method calls or properties, or values from arrays would not be escaped in this fashion. So some data will be automatically escaped by default but some data won't. It will cause even more confusion to template authors resulting in more forgotten escaping. Not to mention incompatibility with templates from Zend Framework 1 causing double-escaping if used with Zend Framework 2. Another problem is that the current implementation is a perfect example of premature escaping. What do you think that the following code will ... - Pokračovat...

Poslední příspěvky z blogu:

Zašlete svůj blog
Požadavky na Blog
Ochrana osobních údajů

This site uses Thumbshots previews