1.5.0releasedCross-Site Scripting (XSS) Filter
Protect yourself against XSS and XSRF attacks in form submissions.
Clone URLhttps://github.com/symphonycms/xssfilter.git
Add as a submodulegit submodule add https://github.com/symphonycms/xssfilter.git extensions/xssfilter --recursive
Compatibility
2.x.x | 2.1.x | 2.2.x | 2.3.x | 2.4.x | 2.5.x | 2.6.x | 2.7.0 | 2.7.1 | 2.7.2 | 2.7.3 | 2.7.4 | 2.7.5 | 2.7.6 | 2.7.7 | 2.7.8 | 2.7.9 | 2.7.10 |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
No | 1.2 | 1.2 | 1.2 | 1.5.0 | 1.5.0 | 1.5.0 | 1.5.0 | 1.5.0 | 1.5.0 | 1.5.0 | 1.5.0 | 1.5.0 | 1.5.0 | 1.5.0 | 1.5.0 | 1.5.0 | 1.5.0 |
Readme
Cross-Site Scripting (XSS) Filter
Description
Protect yourself against XSS and XSRF attacks in form submissions.
Installation
- Place the
xssfilter
folder in your Symphonyextensions
directory. - Go to System > Extensions, select "Cross-Site Scripting (XSS) Filter", choose "Enable" from the with-selected menu, then click Apply.
Usage
XSS
- Go to Blueprints > Components and click the name of the event whose input you want to filter.
- In the "Filters" section, select "Filter XSS: Fail if malicious input is detected"
- Save your event
- Pirouette
Additionally, the XSS Filter can be used directly in your extensions via Extension_XSSFilter::detectXSS($string)
which takes a string and returns boolean if XSS is detected.
Frontend Utilities
As of XSS Filter 1.4, this extension provides five context aware functions that can be used on the frontend to filter malicious data. These functions are designed to be used in five areas, attributes (attributeContextCleaner
), style (styleContextCleaner
), script (scriptContextCleaner
), url (urlContextCleaner
) and html (htmlContextCleaner
). Thanks to Ashar Javed (@soaj1664ashar) for reaching out and sharing his work.
Example usage:
<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl" extension-element-prefixes="php">
<xsl:template match="/">
<p>Hello there, <a href="{php:functionString('urlContextCleaner', '$root')}">click on my XSS safe link</a></p>
</xsl:template>
</xsl:stylesheet>
Notes
The XSS Filter, as mentioned above is very strict. It defaults to a high level of protection, and users who want to be more permissive with their input should be savvy enough to filter that input accordingly before rendering the content on the front end.
The filter disallows the following HTML elements: meta
, link
, style
, script
, embed
, object
, iframe
, frame
, frameset
, title
, and a few other more obscure ones.
XSRF
- Go to Blueprints > Components and click the name of the event whose input you want to filter.
- In the "Filters" section, select "Validate XSRF: Ensure request was passed with a XSRF token"
- Save your event
- In your POST request, ensure
$_POST['xsrf']
is set with a valid token (available via params{$cookie-xsrf-token}
)
Additionally, the XSRF Filter can be used directly in your extensions via XSRF::validateToken($token)
which takes a string and returns boolean if it is not valid.
Version history
Symphony 2.4 to 2.x.x
- Replaced deprecated preg_replace /e in extension.driver.php
- Added German translation
Symphony 2.4 to 2.x.x
- Updated compatibility info
Requires Symphony 2.4
- Small patch to the attribute context cleaner
Requires Symphony 2.4
- Update extension to include context aware XSS functions for the Frontend. Big thanks to Ashar Javed
Requires Symphony 2.4
- Update extension to include a Validate XSRF filter
- Add Russian translation
- Additional detection logic adding for
feed
anddata
protocols - Update all links to getsymphony.com
Requires Symphony 2.0.3
- More robust checking to handle upload fields and integers
Requires Symphony 2.0.3
- Static
detectXSS
function so that logic can be used by other extensions outside of the Event Options context - Events with the XSS Filter can now handle nested field data to an infinite level
- Slight performance tweak if XSS is detected
- Additional detection logic adding for
livescript
andmocha
protocols
Requires Symphony 2.0.3