search

thephpleague / plates

Native PHP template system
https://platesphp.com
MIT License
1.47k stars 180 forks source link

Escape is safe? #27

Closed raxan closed 10 years ago

raxan commented 10 years ago

Hi

Is safe use only http://platesphp.com/templates/escaping/ or should we consider to use third party lib like htmlpurifier?

I see here: http://htmlpurifier.org/comparison all possible XSS attack.

Question, instaed of escape variable on template, why not do this on controller before passing to template?

Example on each controller, before render html, the variables from Request is escapated (and sanitized using htmlpurifier), and then passed to template clean and safe.

thanks!!

baileylo commented 10 years ago

These are performing different tasks. htmlpurifier allows you to render "safe" HTML, Plate's escape method will convert special characters to their html entities.

Not sure I explained that well, so here's an example. Plate's escape uses htmlspecialchars. In the example below you can see how < is converted to it's html entity <&lt.

$new = htmlspecialchars("<a href='test'>Test</a>", ENT_QUOTES);
echo $new; // &lt;a href=&#039;test&#039;&gt;Test&lt;/a&gt;

htmlpurifier on the other hand, would allow this to be generated. Since htmlpurifier doesn't have any easy examples to copy and paste, you can see from this demo, that the link is still generated.

reinink commented 10 years ago

Thanks for explaining this @baileylo. The only thing I would add is that generally the built-in Plates escaping, using htmlspecialchars() is all you need. The only time you'll need to use an HTML purifier is when you are allowing users to input HTML. Using standard escaping wouldn't work at that point, since the HTML would not render properly. In these situations an HTML purifier can help by only allowing certain tags, and removing malicious code.

Question, instaed of escape variable on template, why not do this on controller before passing to template?

Example on each controller, before render html, the variables from Request is escapated (and sanitized using htmlpurifier), and then passed to template clean and safe.

What you're asking for here is auto escaping, and in short, no, there is no good way to do this with native PHP templates. Believe me, I've done a ton of research on it. See #23 and #24 for more info.

raxan commented 10 years ago

thanks for your reply.

I read that other posts, thanks for sharing.

I think that you should double check security, because htmlspecialchars is not 100% safe of XSS attack, because via attributes can be injected malicious script.

htmlentities is better, but before strip_tags().

But also strip_tags plus htmlentities is not 100% safe, so only libs in php which cover everything is htmlpurifier.

I think that you should per default escape every user input which is display using html library, and allow only safe html tags like a, h1, p, ul, li, span, ...

Read here: http://stackoverflow.com/questions/3623236/htmlspecialchars-vs-htmlentities-when-concerned-with-xss

baileylo commented 10 years ago

@raxan No html tags are allowed.

reinink commented 10 years ago

I think that you should double check security, because htmlspecialchars is not 100% safe of XSS attack, because via attributes can be injected malicious script.

Make sure you quote your attributes, and you'll be totally fine. There is an note about this in the Plates documentation: http://platesphp.com/templates/escaping/#escaping-html-attributes

I don't understand special escaping of HTML attributes. As a developer, if I'm going to forget the quotes chances are I'll also forget to use this special attribute escaping method.

raxan commented 10 years ago

I got your point @reinink thanks!