This forum is in READ-ONLY mode.
You can look around, but if you want to ask a new question, please use the new forum.
Home » support » symfony 1.3 and 1.4 » XSS protection and output escaping/filtering
XSS protection and output escaping/filtering [message #102628] Fri, 16 July 2010 19:23
Centai  is currently offline Centai
Messages: 1
Registered: July 2010
Junior Member
Hi im new to symfony having only just completed the 24 day tutorial.
I have subsequently started on a new project to learn more about symfony and I have come across the problem of output escaping/filtering.

You will agree that escaping output is a must, which is why symfony has mutiple escaping strategies and methods.
However the basic methods (ESC_RAW, ESC_ENTITIES, ESC_JS, ESC_JS_NO_ENTITIES, and ESC_SPECIALCHARS) dont allow one to escape out bad things like <script> but leave safe html tags like <p> or <br /> alone.
Which made me go on a hunt for plugins.
I found two sfContentFIlterPlugin and sfXssSafePlugin
sfXssSafePlugin seems to me to be the best as it according to the plugin readme adds a new escaping_method though i can't get it to work.
I followed the readme but gives this error:
401 | Unauthorized | InvalidArgumentException
The escaping method "ESC_XSSSAFE" is not available.

The plugin isn't listed as sf 1.4 compatible which is most likely why it isn't working.

The second plugin sfContentFilterPlugin can't as far as i could read from 'readmees' be implemented as general escaping strategy but is easy to use.
echo filter_content($content, 'filter_type')

However this relies on me to remember to filter every output manually and knowing myself I am likely to forget it at some point.

tbh I haven't played around with sfContentFIlterPlugin much but my main concern is that I want to use it with the admin generator be couse I don't want to spend too much time creating the backend thus the need for it to be enabled everywhere.

The problem:
1: I wish to use rich text formatting with tinyMCE or BB style input/format
2: All output MUST automatically be escaped/filtered to protect against XSS
3: Output must retain the formatting of the input (TidyHTML dosn't really matter)

Basically the problem problem boils down to a new escaping method as im likely to forget to filter every output myself.
I have searched the forum on this subject and found surprisingly little information on what I see as a core security cern. Which makes me think I've overlooked a (very) simple solution or that there isn't one (scary though)(hardly think so)
If any of you brilliant lads (or ladies) know of a solution or can give me hints i'll very much appreciate your help.

- Pete
Previous Topic:How to create a new form
Next Topic:admin_input_file_tag not working
Goto Forum:

powered by FUDforum - copyright ©2001-2004 FUD Forum Bulletin Board Software