TIP: Use Markdown or, <pre> for multi line code blocks / <code> for inline code.
These forums are read-only and for archival purposes only!
Please join our new forums at discourse.kohanaframework.org
[Security] Add correct escaping methods against XSS
  • It would be nice to extend Kohana with good escaping methods, like in the following RFC is mentioned: https://wiki.php.net/rfc/escaper

    This can be used to enhance the global security of Kohana projects against XSS. Keep in mind though, that simply htmlentities($value, ENT_QUOTES, 'utf-8') isn't enough a lot of times.

    Why that is you can take a look at the following links:

  • Keep in mind though, that simply htmlentities($value, ENT_QUOTES, 'utf-8') isn't enough a lot of times.

    It basically is for HTML. We have a built in HTML::chars() method for html escaping. For JS, there's a different method (json_encode()).

    If you use the provided methods smartly, you'll be fine.

  • json_encode won't be enough for JS. See this example: http://jsfiddle.net/3q9gV/

    yes, HTML::chars() is correctly implemented. But because HTML can have non quoted attributes (which are valid for html5) and because IE interprets backticks, it's not totally safe. As well as using PHP to template CSS, could give you XSS vulnerablities.

  • To think there's some kind of "magic bullet" for any of these problems is extremely short-sighted, imo. Proper security will always rely on the developer to know what they are doing and apply the correct preventative measures needed for their project (in other words, it's no different than sql injection).

  • No, i'm not thinking on magic bullets here. It's about context-aware escaping. But we don't have escaping functions for all contexts. Also a lot of developers need a kind of stimulation, because a rather large portion on PHP apps are vurnerable to a lot of exploits, because a lot of developers don't know what they are doing.

    The following contexts I think about:

    • SQL (Database::instace()->escape())
    • HTML content (HTML::chars()), like: <div><?=HTML::chars($val); ?></div>
    • HTML attributes (HTML::chars() isn't enough), like: <div class=<?=HTML::chars($val); ?> >
    • Inline JS from PHP, like: var a = <?=json_encode($val); ; ?>
    • Inline CSS from PHP, like: color: #<?=$val; ; ?>;
    • Inline SVG from PHP

    It's because HTML can embed multiple languages, it needs multiple ways of escaping to handle it correctly and securely. And Kohana does not provide in all those ways.

    Maybe you should read this article to know on what viewpoint I also look at PHP: http://blog.astrumfutura.com/2012/10/taking-php-security-seriously-by-taking-it-seriously/

    I'm not talking about you here, but about a lot of PHP scripters who don't know much about security at all.

  • SQL escaping is pretty easy to handle when you using parameters, but output escaping is so context specific you basically rely on the developer knowing what they are doing.

  • I always let "anything" in the database, properly escaped of course just enough for no SQL injection, and escape / strip potential dangerous code only when displaying. Never had any issues with this

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion