sfXssSafePlugin
0.5.0beta
for sf 1.1sf 1.0 MIT
The sfXssSafePlugin allows to clean a string to prevent XSS attacks. It provides a new escaping strategy, ESC_XSSSAFE, to escape tainted HTML strings entered by users. This escaping strategy removes all "dangerous" tags and attributes but keeps the safe ones.
Developers
License
Copyright (c) 2008 Alexandre Mogère
Copyright (c) 2008 Ma Génération
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
sfXssSafePlugin - Output Rich Text With Cross Site Scripting Protection
Overview
Between the ESC_RAW and ESC_HTMLENTITIES, symfony lacks one escaping level allowing to strip dangerous HTML code but leave the tags that just structure a content or apply a format to it.
The sfXssSafePlugin allows to clean a string to prevent XSS attacks. It provides a new escaping strategy, ESC_XSSSAFE, to escape tainted HTML strings entered by users. This escaping strategy removes all "dangerous" tags and attributes but keeps the safe ones. The plugin embarks the HTML Putifier library and is fully unit-tested.
Installation
Usage
First of all, your application escaping strategy must be set to both or on to use this plugin. Check your settings.yml for the escaping_strategy parameter.
Include the helper in the templates where you want to use the new escaping strategy:
As explained in the symfony book, the methods of escaped objects accept an additionnal parameter for the escaping strategy. In addition to the core ESC_HTMLENTITIES and ESC_RAW, you can now use the ESC_XSSSAFE strategy.
// In the action
$this->post->setContent('this is not nice <script>alert("XSS");</script>');
// In the template
<?php echo $post->getContent(ESC_XSSSAFE); ?>
=> 'this is not nice'
Configuration
You can change the HTML Purifier configuration in your application's app.yml file, under the sfXssSafePlugin section. Refer to the plugin's app.sample.yml and to the HTML Purifier documentation for further information.
Here is the default configuration used by the plugin if you don't add anything to your app.yml:
all:
sfXssSafePlugin:
definition:
HTML:
TidyLevel: medium # Values : "none", "light", "medium", "heavy"
Doctype: null # Accepts valid Doctypes, like 'XHTML 1.0 Transitional'
Trusted: false
Core:
Encoding: UTF-8 # This directive only accepts ISO-8859-1 if iconv is not enabled
RemoveInvalidImg: true
EscapeInvalidChildren: false
EscapeInvalidTags: false
ColorKeywords:
maroon: '#800000'
red: '#FF0000'
orange: '#FFA500'
yellow: '#FFFF00'
olive: '#808000'
purple: '#800080'
fuchsia: '#FF00FF'
white: '#FFFFFF'
lime: '#00FF00'
green: '#008000'
navy: '#000080'
blue: '#0000FF'
aqua: '#00FFFF'
teal: '#008080'
black: '#000000'
silver: '#C0C0C0'
gray: '#808080'
CSS:
AllowImportant: false
Filter:
YouTube: false # Allow YouTube video embeded
AutoFormat:
AutoParagraph: false
URI:
Disable: false
DisableExternal: false
Output:
TidyFormat: false
Changelog
2008-05-19 | 0.5.0 Beta
Alexandre Mogère 