Thursday, January 20, 2022

[FIXED] Purify html string in Yii

      , , ,      No comments   

Issue

I'm trying purify a string to prevent a XSS atack, but if a string don't have a script tag but have html attributs, the string isn't purify.

Example: 

$str = 'http://www.example.com/54f74"onmouseover%3d"alert(1)"style%3d"position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b"54f74';
$purifier = new CHtmlPurifier();
var_dump(
    $str,
    $purifier->purify($str)
);

result:

string 'http://www.example.com/54f74"onmouseover%3d"alert(1)"style%3d"position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b"54f74' (length=145)
string 'http://www.example.com/54f74"onmouseover%3d"alert(1)"style%3d"position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b"54f74' (length=145)

Solution

Yes, because that string is valid XSS-free HTML. To purify it if you were planning to use it in an attribute, you could use HTML Purifier's internal AttrDef classes to manually purify it. For URLs, you probably want HTMLPurifier_AttrDef_URI:

$def = new HTMLPurifier_AttrDef_URI();
$config = HTMLPurifier_Config::default();
$context = new HTMLPurifier_Context();
$pure_url = $def->validate($your_url, $config, $context);


Answered By - Edward Z. Yang

0 Comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Total Pageviews

Featured Post

Why Learn PHP Programming

Why Learn PHP Programming A widely-used open source scripting language PHP is one of the most popular programming languages in the world. It...