Menu
I need my users to enter the URI of their personal website in their profile so that other users can see and click on it. I am worried that this could lead to XSS attacks if the output is not sanitized properly.
Like in this very simplistic schema below:
I am using the full stack symfony2 framework, Doctrine as ORM and Twig as a template engine. I know that Symfony provides some amazing Validation tools, and that TWIG provides automatic output escaping (which is not necessary in this particular case) as well as some filters for output sanitizing.
I've read the following about how symfony2 and twig handle sanitization:
Doctrine comes with sanitization for database (SQL) injections. Apart from this, there is no recommended / provided input sanitization at controller level in Symfony2. However, using Twig in the view, output sanitization is available.
As an example, in CakePHP however:
Data sanitization is implemented as a Utility which can be accessed from anywhere (controller, component, model .. even view). It follows a sanitize-all-input approach with a fixed set of predefined sanitization filters. Sanitizing specific inputs with dedicated rules is possible, but seems not to be encouraged.The existing rules concentrate on SQL and HTML injections and filtering out general suspicious unicode characters.
1 How do symfony2 + twig users handle input sanitization? Do they discard input sanitization totally and for example rely on validation only? Or do they write their own utility function to filter user inputs? or maybe use a library like owasp-esapi-php?
2 How do symfony2 + twig users handle output sanitization? Do they rely on the filters provided by the twig engine only? For example, are there already any tools that one can use to sanitize a user-entered URI, something similar to this?
3 In this situarion, how would you handle database storage and display of a user-entered URI like in the example above, would you care about input sanitization at all? or would you use output sanitization only and store the URI as is?
578
By using both input validation and input sanitization, a web application creates more layers of security. These methods of input handling can be performed on either the client-side or the server-side.
Validation checks if the input meets a set of criteria (such as a string contains no standalone single quotation marks). Sanitization modifies the input to ensure that it is valid (such as doubling single quotes). You would normally combine these two techniques to provide in-depth defense to your application.
An application receives queries and requests from untrusted sources that might expose the system to malicious attacks. Input sanitization ensures that the entered data conforms to subsystem and security requirements, eliminating unnecessary characters that can pose potential harm.
You should not worry at all about input sanitization, Doctrine is immune to sql injection
By default, all output is escaped. So even if $text has script tags, it will be escaped; visible as text but not executed by browser. And if you want to have http://example.com clickable, there are jquery plugins that can do that for you.
I would only put validation, there is
new Symfony\Component\Validator\Constraints\Url() ; available for you
129
There is also a nice symfony2 bundle that allow users to implement input filtering in entities using Annotations. Like this :
/** * @Filter\StripTags() * @Filter\Trim() * @Filter\StripNewlines() * * @var string */ public $email; The bundle : dms-filter-bundle
39
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
