8

I noticed class vendor/magento/framework/Escaper.php which contains a few useful security methods used inside (mainly) templates. Some of them are quite common (escapeHtml()), but some of them are hard to encounter.

  1. What method and escapeXssInUrl() really does?
  2. In case of method escapeJsQuote() - what is the place where these quotes can be found? Only inline js in templates?
  3. Does anyone has some clear explanation when all methods should be used (practical examples)?
  4. What is a difference between escapeUrl() and escapeXssInUrl() and if second one grants us better security, why not always use second one instead escaping only html chars?
  5. escapeQuote() should be used for example for echoing some variable in situation like this <div value="<?php echo[here?]$value?>"></div>?
Khoa TruongDinh
  • 32,054
  • 11
  • 88
  • 155
Bartosz Kubicki
  • 2,943
  • 3
  • 29
  • 50

2 Answers2

3

Most of the functions for Security measures against XSS attacks.

escapeXssInUrl() Method Remove javascript:, vbscript:, data: words from url and used like

echo $block->escapeXssInUrl($block->getUrl()) ?>"><?php echo $block->getAnchorTextHtml()

Magento 1 You can escape the quotes in javascript using $this->jsQuoteEscape ($item->getName()); Mahento 2 you can do the same using escapeJsQuote

escapeUrl() actually leverages htmlspecialchars with the recommended parameters to escape HTML: $result = htmlspecialchars($result, ENT_COMPAT, 'UTF-8', false);

You can find more information by Magento 2 official documentation.

Krishna ijjada
  • 8,927
  • 6
  • 41
  • 70
  • Can you tell the difference between escapeUrl() and escapeXssInUr()l?

    It is worth noticing that `The upcoming release of Magento 2.2 will deprecate these functions.

    Please check back on this page after the 2.2 release for updated documentation on new escape functions.`

     – Bartosz Kubicki Oct 30 '16 at 16:24
3

There is a helpful entry in the DevDocs on template security: Security measures against XSS attacks

Re escapeXssInUrl: The function escapeUrl calls escapeXssInUrl internally plus escapeHtml afterwards. Also Magento uses escapeUrl internally.

Make sure to check out the new escaping functions once Magento 2.2. is out as there will be new ones coming:

The upcoming release of Magento 2.2 will deprecate these functions.

Please check back on this page after the 2.2 release for updated documentation on new escape functions.

And you might as well be interested to check out my presentation about this here: Secure input and output handling - Meet Magento Romania 2016

Anna Völkl
  • 17,341
  • 5
  • 60
  • 141
  • actually I have watched your training on Mage Titans Italy and I wanted to clarify some information and that was one of the reason of question :)!

    https://www.youtube.com/watch?v=TBSr5Esb-8M That is what I have noticed

    That's what I also noticed about escapeXssInUrl() - so should I use escapeUrl() insted?

    'Eav Backedn validation rules' - I guess they are just use automatically and I am already using them? Or should that implement them in places inputs ar added?

     – Bartosz Kubicki Oct 31 '16 at 07:40
  • 1
    I think it's better to use escapeUrl than escapeXssInUrl as this is called internally: https://github.com/magento/magento2/blob/1ade3b769a937f19682bbbe4e51b6c956147952f/lib/internal/Magento/Framework/Escaper.php#L206 – Anna Völkl Oct 31 '16 at 08:01
  • I haven't noticed that - that is right! – Bartosz Kubicki Oct 31 '16 at 08:29