Home > Article > Backend Development > Yii Framework Official Guide Series 51 - Special Topic: Security Measures (Security)
Cross-site scripting attacks (referred to as XSS), that is, web applications collect information from users User data. Attackers often inject JavaScript, VBScript, ActiveX, HTML or Flash into vulnerable web applications to confuse visitors and collect visitor information. For example, a poorly designed forum system may display user input without checking. An attacker can inject a piece of malicious JavaScript code into the post content. In this way, when other visitors read this post, these JavaScript codes can be run on the visitor's computer.
One of the most important measures to prevent XSS attacks is: Content inspection before displaying the content entered by the user. For example, you can escape HTML in content. But in some cases this method is not advisable, because this method disables all HTML tags.
Yii integrates HTMLPurifier and provides developers with a very useful component CHtmlPurifier, which encapsulates the HTMLPurifier class. It can remove all malicious code from the audited content through effective review, security and whitelisting functions, and ensure that the content filtered after filtering meets standards.
CHtmlPurifier component can be used as a widget or filter. When used as a widget, CHtmlPurifier can safely filter the content displayed in the view. The following is a code example:
##
3985325355f9adb62c26998b2d6e1066beginWidget('CHtmlPurifier'); ?> //...这里显示用户输入的内容... 3985325355f9adb62c26998b2d6e1066endWidget(); ?>
src address of this image points to a bank website:
//m.sbmmt.com/. If the user visits this malicious webpage after logging into the bank's website, the user's browser will send an instruction to the bank's website. The content of this instruction may be "transfer 10,000 yuan to the attacker's account." Cross-site attacks take advantage of a specific website that the user trusts, while CSRF attacks, on the contrary, take advantage of the user's specific user identity on a website.
GET The request only allows retrieval of data and cannot modify any data on the server. The
POST request should contain some random values that can be recognized by the server to ensure that the source of the form data and the destination of the running results are the same.
POST. The core of this mechanism is to set a random data in the cookie, and then compare it with the corresponding value in the
POST data submitted by the form.
return array( 'components'=>array( 'request'=>array( 'enableCsrfValidation'=>true, ), ), );
return array( 'components'=>array( 'request'=>array( 'enableCookieValidation'=>true, ), ), );
$_COOKIES.
// 检索一个名为$name的cookie值 $cookie=Yii::app()->request->cookies[$name]; $value=$cookie->value; ...... // 设置一个cookie $cookie=new CHttpCookie($name,$value); Yii::app()->request->cookies[$name]=$cookie;