This article describes the XSS attack prevention strategy of Yii2 with examples. Share it with everyone for your reference, the details are as follows:
XSS vulnerability repair
Principle: Do not trust the data entered by the customer
Note: The attack code is not necessarily in <script></script>
① Change important cookies Marked as http only, in this case, the document.cookie statement in Javascript cannot obtain the cookie.
② Only allow users to enter the data we expect. For example: In the age textbox, users are only allowed to enter numbers. Characters other than numbers are filtered out.
③ Html Encode processing of data
④ Filter or remove special Html tags, such as: script, iframe, < for <, > for >, " for
⑤ Filter JavaScript event tags. For example, "onclick = "," Onfocus "and so on .
XSS prevention
<?php echo CHtml::encode($user->name) ?>
The source code of this method:
/**
* Encodes special characters into HTML entities.
* The [[\yii\base\Application::charset|application charset]] will be used for encoding.
* @param string $content the content to be encoded
* @param boolean $doubleEncode whether to encode HTML entities in `$content`. If false,
* HTML entities in `$content` will not be further encoded.
* @return string the encoded content
* @see decode()
* @see http://www.php.net/manual/en/function.htmlspecialchars.php
*/
public static function encode($content, $doubleEncode = true)
{
return htmlspecialchars($content, ENT_QUOTES | ENT_SUBSTITUTE, Yii::$app->charset, $doubleEncode);
}
Http:// /php.net/manual/zh/function.htmlspecialchars.php
http://php.net/manual/zh/function.htmlentities.php
Available flags constants
Constant Name Description
ENT_COMPAT Will convert double-quotes and leave single-quotes alone.
ENT_QUOTES Will convert both double and single quotes.
ENT_NOQUOTES Will leave both double and single quotes unconverted.
ENT_IGNORE Silently discard invalid code unit sequences instead of returning an empty string. Using this flag is discouraged as it » may have security implications.
ENT_SUBSTITUTE Replace invalid code unit sequences with a Unicode Replacement Character U+FFFD (UTF-8) or &#FFFD; ( otherwise) instead of returning an empty string.
ENT_DISALLOWED Replace invalid code points for the given document type with a Unicode Replacement Character U+FFFD (UTF-8) or &#FFFD; (otherwise) instead of leaving them as is. This may be useful, for instance, to ensure the well-formedness of XML documents with embedded external content.
ENT_HTML401 Handle code as HTML 4.01.
ENT_XML1 Handle code as XML 1.
ENT_XHTML Handle code as XHTML.
string htmlspecialchars (
string $string
[, int $flags = ENT_COMPAT | ENT_HTML401
[, string $encoding = ini_get("default_charset")
[, bool $double_encode = true ]
]
]
)
& (ampersand) becomes &
" (double quote) becomes " when ENT_NOQUOTES is not set.
' (single quote) becomes ' (or ') only when ENT_QUOTES is set.
< (less than) becomes <
<?php
$new = htmlspecialchars("<a href='test'>Test</a>", ENT_QUOTES);
echo $new; // <a href='test'>Test</a>
?>string htmlentities (
string $string
[, int $flags = ENT_COMPAT | ENT_HTML401
[, string $encoding = ini_get("default_charset")
[, bool $double_encode = true ]
]
]
)<?php $str = "A 'quote' is <b>bold</b>"; // Outputs: A 'quote' is <b>bold</b> echo htmlentities($str); // Outputs: A 'quote' is <b>bold</b> echo htmlentities($str, ENT_QUOTES); ?>
For example, search for "test Chinese characters" in Baidu. The URL will become
The so-called URL encoding is: Non-alphanumeric characters will be replaced with a percent sign (%) followed by two hexadecimal digits, and spaces are encoded as plus signs (+)
<?php echo '<a href="mycgi?foo=', urlencode($userinput), '">'; ?>
<?php $query_string = 'foo=' . urlencode($foo) . '&bar=' . urlencode($bar); echo '<a href="mycgi?' . htmlentities($query_string) . '">'; ?>
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
