Cross-site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. Often attackers will inject JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable application to fool other application users and gather data from them. For example, a poorly designed forum system may display user input in forum posts without any checking. An attacker can then inject a piece of malicious JavaScript code into a post so that when other users read this post, the JavaScript runs unexpectedly on their computers.
One of the most important measures to prevent XSS attacks is to check user input before displaying them. One can do HTML-encoding with the user input to achieve this goal. However, in some situations, HTML-encoding may not be preferable because it disables all HTML tags.
Yii incorporates the work of HTMLPurifier and provides developers with a useful component called CHtmlPurifier that encapsulates HTMLPurifier. This component is capable of removing all malicious code with a thoroughly audited, secure yet permissive whitelist and making sure the filtered content is standard-compliant.
The CHtmlPurifier component can be used as either a widget or a filter. When used as a widget, CHtmlPurifier will purify contents displayed in its body in a view. For example,
$this->beginWidget('CHtmlPurifier'); ...display user-entered content here... $this->endWidget();
Cross-Site Request Forgery (CSRF) attacks occur when a
malicious web site causes a user's web browser to perform
an unwanted action on a trusted site. For example, a malicious
web site has a page that contains an image tag whose src
points
to a banking site: http://bank.example/withdraw?transfer=10000&to=someone
.
If a user who has a login cookie for the banking site happens to
visit this malicous page, the action of transferring 10000 dollars
to someone will be executed. Contrary to cross-site,
which exploits the trust a user has for a particular site,
CSRF exploits the trust that a site has for a particular user.
To prevent CSRF attacks, it is important to abide to the rule
that GET
requests should only be allowed to retrieve data rather
than modify any data on the server. And for POST
requests, they
should include some random value which can be recognized by the server
to ensure the form is submitted from and the result is sent back to
the same origin.
Yii implements a CSRF prevention scheme to help defeat POST
-based attacks.
It is based on storing a random value in a cookie and comparing this value
with the value submitted via the POST
request.
By default, the CSRF prevention is disabled. To enable it, configure the CHttpRequest application component in the application configuration as follows,
return array(
'components'=>array(
'request'=>array(
'enableCsrfValidation'=>true,
),
),
);
And to display a form, call CHtml::form instead of writing the HTML form tag directly. The CHtml::form method will embed the necessary random value in a hidden field so that it can be submitted for CSRF validation.
Protecting cookies from being attacked is of extreme importance, as session IDs are commonly stored in cookies. If one gets hold of a session ID, he essentially owns all relevant session information.
There are several countermeasures to prevent cookies from being attacked.
Yii implements a cookie validation scheme that prevents cookies from being modified. In particular, it does HMAC check for the cookie values if cookie validation is enabled.
Cookie validation is disabled by default. To enable it, configure the CHttpRequest application component in the application configuration as follows,
return array(
'components'=>array(
'request'=>array(
'enableCookieValidation'=>true,
),
),
);
To make use of the cookie validation scheme provided by Yii, we also need to
access cookies through the cookies collection, instead
of directly through $_COOKIES
:
// retrieve the cookie with the specified name
$cookie=Yii::app()->request->cookies[$name];
$value=$cookie->value;
......
// send a cookie
$cookie=new CHttpCookie($name,$value);
Yii::app()->request->cookies[$name]=$cookie;
Found a typo or you think this page needs improvement?
Edit it on github !
Signup or Login in order to comment.