13. Other Tidbits / * Security: Preventing Cross-Site Scripting

Security: Cross-Site Scripting (XSS) Prevention

Cross-site scripting, or XSS, is a type of software vulnerability that allows attackers to inject JavaScript into web pages viewed by other users. This attack, if executed successfully, can provide the attacker a way to steal other users' cookies, thus enabling them to gain unauthorized access to your website. It's one of the most frequently exploited vulnerabilities on the Web; read more about it on Wikipedia.

QCubed comes with two layers of protection against XSS. Both of these are enabled by default, and you don't need to do anything to make use of them.

The first layer is around filtering input - particularly in TextBox controls. This is about filtering the input that the user has placed into the text box, and rejecting or removing any potential script and tags from it. By default QCubed will use either PHP's built-in sanitizer, or HTML Purifier if its installed. However this behaviour can be changed per TextBox instance by setting its CrossScripting property to one of the following values:

  • TextBox::XSS_ALLOW completely disables any checks and filtering and would let any posted data through. This is the most insecure option and should be avoided unless you have very good reasons for it.
  • TextBox::XSS_HTML_ENTITIES simply calls PHP's htmlentities() function on the submitted text. This will protect against cross-site scripting attacks, however it will not filter anything out, which may still be undesirable.
  • TextBox::XSS_PHP_SANITIZE uses PHP's built-in String sanitizer. Removes tags from the input. You can further refine this by specifying SanitizeFilterOptions.
  • TextBox::XSS_HTML_PURIFIER is the option that offers fine-grained control over filtering. It uses the well known HTML Purifier library. From the library's home page:
    "HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C's specifications."

The default value used for creating TextBox instances can be altered by setting $strCrossScripting in /project/qcubed/Control/TextBox.php to one of the values above.

The second layer is about escaping output - so that if a piece of undesirable JavaScript somehow made it into the database, QCubed will run it through the HTMLEntities function, escaping each possible entity (such as an HTML tag, for example, <script> tag).

Note that sometimes, there's a need to allow users to input some form of HTML (for example, if you want to allow the input of a few tags, such as the innocent tags <b>,<i>). In those cases, you need to disable the second protection (output filtering), and also list the tags that you want to allow by specifying:

$this->txtTextbox2->CrossScripting = QCrossScripting::HTMLPurifier;
$this->txtTextbox2->SetPurifierConfig("HTML.Allowed", "b,i");

See the five textboxes below to learn more about how this XSS protection works. For each box, paste the following into the text box to test it.

Hello! <script>alert("I am an evil attacker.")</script><b>Hello</b> <i>again</i>!

Textbox protected with the default TextBox::XSS_PHP_SANITIZE. Tags are stripped.

 

Textbox protected with TextBox::XSS_HTML_ENTITIES:

 

Textbox protected with TextBox::XSS_HTML_PURIFIER with default settings:

 

Textbox protected with TextBox::XSS_HTML_PURIFIER with a set of tags that's allowed (ex.<b>, <i>). Note that you should make any change to the text in this input, in order it to be correctly processed. This is because of optimization made in the qcubed 3.0 version: HTML Purifier is designed to filter text coming from the browser, not from the PHP side.

 

Unprotected textbox (uses TextBox::XSS_ALLOWED). Not recommended - don't do this unless you have a good reason!: