Symfony2 XSS attack vulnerability

Question

Symfony2 XSS attack vulnerability

I am using Symfony2 witch Sencha Ext JS as an interface.

I found that my forms are vulnerable to XSS attacks. I know that Symfony2 has mechanisms that protect our data from these attacks, however, these mechanisms mainly use templates for this, which I do not use.

I collect a lot of data from the front fields that are passed to the backend. I want to fix this problem with minimal effort.

My goal is to protect my application before the data gets into the database. And there are two choices that are on my mind.

First you need to add the strip_tag function to the lifecycle event listeners that listen for preFlush data.
Second, add strip_tags at the level level in the selected vulnerable fields.

Both options seem to me insufficient due to the amount of code.

Maybe there is a good idea to add code to the Sencha frontend? I'm not sure what to do.

Thanks for the tips!

+4

security php symfony xss extjs

Szaman86 Feb 15 '15 at 13:01

source share

1 answer

Ivan Kvasnica · Answer 1 · 2017-02-05T15:14:21+0000

If you are not using a template engine (which I highly recommend to prevent XSS attacks), you need to delete all user data using the following:

htmlspecialchars($string, ENT_QUOTES);

, nonce - , script :

<script nonce="myRandomString"></script>

CSP PHP:

header('Content-Security-Policy', 'script-src 'nonce-myRandomString' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https: http:; object-src 'none');

script ( Chrome, CSP 3 , ). , 100%, .

, nonce . Symfony. Symfony CSP.

Symfony2 XSS attack vulnerability

More articles: