How do _you_ protect input against XSS? ("HtmlPurifier"?)

Question

I've been playing with Craft for days now and love it. I'm new to Yii but I think I got the hang of everything and how you develop a Craft Plugin. My question is regarding security on input post/get vars.

Reading Yii's documentation is seems the "HtmlPurifier" filter is suggested to protect against XSS - but everything seems to be applied on output?

My question is: Does Craft do anything to "clean" input data OR how do you protect your data against malicious input?

I want to clarify that the data submitted by the user has gone through the validation rules in the Record/Model. Is there anything else you need to keep in mind?

score 7 · Accepted Answer · edited Jul 07 '14 at 00:13

7

When dealing with XSS concerns, it's important to stay focused on the fact that this is a client-side issue... So in regards to Craft, Twig is the star of the show.

Fortunately, Twig takes measures by default to ensure that your output is safe. For example, any time you're outputting some HTML code via a Twig variable, you're required to add a raw filter to get the HTML to render properly. Otherwise, those special characters get encoded and simply rendered "as is" on the front-end. When you apply the raw filter to a Twig variable, you're essentially telling Twig that you trust whatever data may be coming out of that variable.

Here are a few other Twig filters which may help you out:

Your question puts an emphasis on data input, which isn't typically where XSS issues are addressed. However, there are some things (as you noted) which can help you sort out incoming data.

Validating your data using Yii validation rules is a good start. And I believe the CHtmlPurifier can be useful to you as well. Skimming through the Yii documentation, I believe this helper method can be applied to input data:

$purifier = new \CHtmlPurifier();
$purifier->purify($html)

http://www.yiiframework.com/doc/api/1.1/CHtmlPurifier

Simply apply that helper method to data as it's being stored in your Record, and that should make your data safe for future output.

edited Jul 07 '14 at 00:13

Brad Bell

67,440
6
73
143

answered Jul 06 '14 at 22:02

Lindsey D

23,974
5
53
110

Thanks for the updated example Brad! Are you guys using CHtmlPurifier anywhere in the Craft core? – Lindsey D Jul 07 '14 at 04:10
Rock solid answer! Cheers mates :) – naboovalley Jul 08 '14 at 06:47
1

This page on Yii security is also worth a look. If anyone else is wondering how to fully escape input outside of Twig, rather than purifying it, you can use \CHtml::encode($value). – Dom Stubbs Jun 05 '15 at 15:45
Can you expand on the process to apply it to data being stored please – PanPipes Oct 14 '15 at 13:33
Hi @PanPipes, I'd recommend starting a new question. That will allow us to dive deeper into the specific issues you're trying to address. – Lindsey D Oct 14 '15 at 19:25
I think I was more curious about this rather than having a use case. Is there any material online that you could point me at please? – PanPipes Oct 20 '15 at 07:04

How do _you_ protect input against XSS? ("HtmlPurifier"?)

1 Answers1