sfXssSafePlugin - 0.5.0

Output Rich Text With Cross Site Scripting Protection

You are currently browsing
the website for symfony 1

Visit the Symfony2 website

« Back to the Plugins Home


Forgot your password?
Create an account



advanced search
Information Readme Releases Changelog Contribute
Show source | Show as Markdown

sfXssSafePlugin - Output Rich Text With Cross Site Scripting Protection


Between the ESC_RAW and ESC_HTMLENTITIES, symfony lacks one escaping level allowing to strip dangerous HTML code but leave the tags that just structure a content or apply a format to it.

The sfXssSafePlugin allows to clean a string to prevent XSS attacks. It provides a new escaping strategy, ESC_XSSSAFE, to escape tainted HTML strings entered by users. This escaping strategy removes all "dangerous" tags and attributes but keeps the safe ones. The plugin embarks the HTML Putifier library and is fully unit-tested.


  • Install the plugin

    symfony plugin-install http://plugins.symfony-project.com/sfXssSafePlugin

  • Alternatively, if you don't have PEAR installed, you can download the latest package attached to this plugin's wiki page and extract it under your project's plugins/ directory


First of all, your application escaping strategy must be set to both or on to use this plugin. Check your settings.yml for the escaping_strategy parameter.

Include the helper in the templates where you want to use the new escaping strategy:

As explained in the symfony book, the methods of escaped objects accept an additionnal parameter for the escaping strategy. In addition to the core ESC_HTMLENTITIES and ESC_RAW, you can now use the ESC_XSSSAFE strategy.

// In the action 
$this->post->setContent('this is not nice <script>alert("XSS");</script>');

// In the template
<?php echo $post->getContent(ESC_XSSSAFE); ?>
 => 'this is not nice'


You can change the HTML Purifier configuration in your application's app.yml file, under the sfXssSafePlugin section. Refer to the plugin's app.sample.yml and to the HTML Purifier documentation for further information.

Here is the default configuration used by the plugin if you don't add anything to your app.yml:


        TidyLevel:              medium   # Values : "none", "light", "medium", "heavy"
        Doctype:                null     # Accepts valid Doctypes, like 'XHTML 1.0 Transitional'
        Trusted:                false

        Encoding:               UTF-8    # This directive only accepts ISO-8859-1 if iconv is not enabled
        RemoveInvalidImg:       true
        EscapeInvalidChildren:  false
        EscapeInvalidTags:      false
          maroon:               '#800000'
          red:                  '#FF0000'
          orange:               '#FFA500'
          yellow:               '#FFFF00'
          olive:                '#808000'
          purple:               '#800080'
          fuchsia:              '#FF00FF'
          white:                '#FFFFFF'
          lime:                 '#00FF00'
          green:                '#008000'
          navy:                 '#000080'
          blue:                 '#0000FF'
          aqua:                 '#00FFFF'
          teal:                 '#008080'
          black:                '#000000'
          silver:               '#C0C0C0'
          gray:                 '#808080'

        AllowImportant:         false

        YouTube:                false    # Allow YouTube video embeded

        AutoParagraph:          false

        Disable:                false
        DisableExternal:        false

        TidyFormat:             false


2008-05-19 | 0.5.0 Beta

  • amogere: Initial version