XSS stands for cross-site scripting and is a type of vulnerability that allows one to inject a client-side script (typically, JavaScript) in the page viewed by other users. Considering the power of the client-side scripting this can lead to very serious consequences such as bypassing security checks, getting other user credentials, or data leaks.
In this recipe, we will see how to prevent XSS by escaping the output with both CHtml
and CHtmlPurifier
.
Generate a fresh web application by using yiic webapp
. Create protected/controllers/XssController.php
as follows:
<?php class XssController extends CController { public function actionSimple() { echo 'Hello, '.$_GET['username'].'!'; } }
Normally, it will be used as /xss/simple?username=Alexander
. However, as the main security principle "filter input, escape output" was not taken into account, malicious users will be able to use it in the following way:
/xss/simple?username=<...