Suyati Technologies
  • Services
    • Salesforce Services
      • Sales Cloud
      • Service Cloud
      • Marketing Cloud
      • Einstein
      • Experience Cloud
      • Mulesoft
      • Commerce cloud
      • Finance cloud
      • CPQ
      • Consultation
      • Implementation
      • Integration
      • Custom Development
      • Salesforce DevOps
      • Support & Maintenance
      • App Development
      • Managed Services
    • IT Services
      • Content Management Services
      • Analytics
      • RPA
      • Front end Technologies
      • Microsoft Applications
      • Cloud
      • DevOps
      • Snowflake
  • Approach
    • Development Methodology
    • Engagement Model
    • Consulting
  • Intel
    • Blog
    • eBooks
    • Webinars
    • Case Studies
  • About Us
    • Management Team
    • Advisory Board
    • Our Story
    • Testimonials
  • Careers
  • Contact Us
Suyati Technologies
  • Services
    • Salesforce Services
      • Sales Cloud
      • Service Cloud
      • Marketing Cloud
      • Einstein
      • Experience Cloud
      • Mulesoft
      • Commerce cloud
      • Finance cloud
      • CPQ
      • Consultation
      • Implementation
      • Integration
      • Custom Development
      • Salesforce DevOps
      • Support & Maintenance
      • App Development
      • Managed Services
    • IT Services
      • Content Management Services
      • Analytics
      • RPA
      • Front end Technologies
      • Microsoft Applications
      • Cloud
      • DevOps
      • Snowflake
  • Approach
    • Development Methodology
    • Engagement Model
    • Consulting
  • Intel
    • Blog
    • eBooks
    • Webinars
    • Case Studies
  • About Us
    • Management Team
    • Advisory Board
    • Our Story
    • Testimonials
  • Careers
  • Contact Us
Suyati Technologies > Blog > How Yii framework saves you from Cross Site Scripting (XSS) attack

How Yii framework saves you from Cross Site Scripting (XSS) attack

by Arun Balakrishnan March 2, 2013
by Arun Balakrishnan March 2, 2013 0 comment

Yii -Yes it is is a high-performance PHP framework best for developing Web 2.0 applications. Cross-site scripting (XSS) is a kind of vulnerability which allows one to inject a client-side script (say, Javascript) in a web page viewed by other users or guests. This kind of attacks will lead to critical consequences such as bypassing security checks, retrieving another user credentials, or data leaks. Yii prevent this kind of XSS by escaping the output with both CHtml and ChtmlPurifier.

Let me brief you on CHtml and ChtmlPurifier :

Chtml: CHtml is a static class that provides a collection of helper methods for creating HTML views.

ChtmlPurifier: CHtmlPurifier is wrapper ofHTML Purifier.

CHtmlPurifier removes all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist. It will also make sure the resulting code is standard-compliant.

What’s XSS

Let us check how XSS attacks happening. I assume that you are ready with your new Yii web application. To start with, go to protected/controllers/ and create your controller file say XssController.php and put in the below code:

XssController

In normal case, the URL will be /xss/test?username=testuser. However, malicious users will be able to use it as below:

/xss/test?username=<script>alert(‘XSS’);</script>
The result on the web page in your browser will be “Hello,” followed by a JavaScript alert window with message “XSS”.

Keep in mind that instead of just alerting XSS, it is possible to steal page contents or even perform some website-specific things such as deleting all users’ data.

How to prevent XSS

Now let me explain you how Yii prevent XSS. Let us consider our above example, we need to escape the data before sending it onto the browser, see how we will write the code:

prevent XSS

The results of above will be “Hello, <script>alert(‘XSS’);</script>!” instead of the JavaScript alert box.

So the important thing is to always escape all dynamic data. For example, we should do the same for a link name:

echo CHtml::link(CHtml::encode($_GET[‘username’]), array());

Now your page is free from XSS. Let us think what if we want to allow some HTML to pass? In such cases it is not possible with CHtml::encode because it will render HTML as just a code and we need the actual representation. Here comes the richness of Yii, there is a built-in tool with Yii that allows filtering out the malicious HTML. It is nothing but, HTML Purifier and it can be used as following:

CHtml Purifier

OR in a different way:

CHtml Purifier

Now access the html action using the URL : /xss/html?html=Hello, <strong>username</strong>!<script>alert(‘XSS’)</script>and the output on the page will be:
Hello, username!
How it works internally…

The CHtml::encode is as follows:

encode

Basically we use the PHP’s internal htmlspecialchars function which is very much secure if one does not forget to pass the correct charset as the third argument.

As we discussed CHtmlPurifier uses the HTML Purifier library which is the most advanced solution out there to prevent XSS inside of HTML. We have used its default configuration which is OK for most of the user-entered content.

More about XSS and HTML purifier

There are two main types of XSS injections:

Non-persistent: Non-persistent type is the one that we have used in our example and is the most common XSS type that can be found in most insecure web applications. Data passed by the user or through a URL is not stored anywhere, so the injected script will be executed only once and only for the user who entered it. Still, it is not as secure as it looks.

Persistent: Persistent type is very serious as the data entered by a malicious user is stored in the database and is shown to many, if not all, website users. Using this type of XSS, one can literally destroy your website by “commanding” all users to delete all data to which they have access.

Configuring the HTML purifier

The HTML purifier can be configured as follows:

new CHtml Purifier

For a list of all possible keys which you can use in the options array, refer to the following URL: http://htmlpurifier.org/live/configdoc/plain.html

HTML purifier performance

Its performance is not so good! For the reason that HTML purifier performs a lot of processing and analysis. Therefore as a best practice not to process text every time you are outputting it. Instead, it can be saved in a separate database field or cached.

To learn more about XSS and how to deal with it, please go through the following resources:

http://htmlpurifier.org/docs

http://ha.ckers.org/xss.html

 

CHtmlChtmlPurifierxss attackYii framework
0 comment
0
FacebookTwitterLinkedinTumblr
previous post
Looking at future through Force.com Canvas window
next post
Building Productive Websites

You may also like

What you need to know before kick-starting cloud...

January 13, 2022

An Eye-opener into the Future Trends in Salesforce...

January 13, 2022

Seven Key IT Outsourcing Trends to Expect in...

January 13, 2022

How to Select the Right Partner for a...

January 13, 2022

On Premises vs Cloud CRM: Which is Better?

September 28, 2021

Choosing between Cloud and On-Premise Servers for your...

September 28, 2021

Broken Customer Experience? What’s the Fix?

August 19, 2020

Are Remote Proctored Exams a New Reality?

August 18, 2020

10 Exciting Features in Salesforce’s new Summer ’20...

August 17, 2020

Importance of Data Analytics in Developing Smart Cities

August 11, 2020

Leave a Comment Cancel Reply

Save my name, email, and website in this browser for the next time I comment.

Keep in touch

Twitter Linkedin Facebook Pinterest

Recent Posts

  • What you need to know before kick-starting cloud implementation

    January 13, 2022
  • An Eye-opener into the Future Trends in Salesforce Commerce Cloud

    January 13, 2022
  • Seven Key IT Outsourcing Trends to Expect in 2022

    January 13, 2022

Categories

  • Twitter
  • Linkedin
  • Facebook
  • Instagram
  • Services
    • Salesforce Services
      • Sales Cloud
      • Service Cloud
      • Marketing Cloud
      • Einstein
      • Experience Cloud
      • Mulesoft
      • Commerce cloud
      • Finance cloud
      • CPQ
      • Consultation
      • Implementation
      • Integration
      • Custom Development
      • Salesforce DevOps
      • Support & Maintenance
      • App Development
      • Managed Services
    • IT Services
      • Content Management Services
      • Analytics
      • RPA
      • Front end Technologies
      • Microsoft Applications
      • Cloud
      • DevOps
      • Snowflake
  • Approach
    • Development Methodology
    • Engagement Model
    • Consulting
  • Intel
    • Blog
    • eBooks
    • Webinars
    • Case Studies
  • About Us
    • Management Team
    • Advisory Board
    • Our Story
    • Testimonials
  • Careers
  • Contact Us

© 2021 Suyati Technologies


Back To Top
Suyati Technologies

Popular Posts

  • 1

    What are the Top 3 risks for implementing a CX Program?

    August 30, 2019
  • 2

    Do you need a separate CX Team at your company?

    September 2, 2019
  • 3

    How to build Employee Advocacy for your Business?

    September 3, 2019
  • 4

    What is Salesforce CRM and What Does it Do?

    February 19, 2014
  • 5

    Tips to Reduce Salesforce Pricing

    February 17, 2015
© 2021 Suyati Technologies

Read alsox

Digital Transformation in Manufacturing: How Predictive Maintenance Could Be a...

February 19, 2018

EPiServer Behavioral Merchandising: The right products for the right customers

September 30, 2015

Top 5 criteria for selecting the best RPA tool for...

September 20, 2018

By continuing to use this website you agree with our use of cookies. Read More Agree