开发者

XSS clean in kohana 3.1

I see documentation of 开发者_StackOverflow社区using xss clean for kohana old version http://docs.kohanaphp.com/general/security

But how to achieve this in kohana 3.1 using htmlpurifier and alternative of

$this->input->get('my_var','default_value', true);


Rasmus proposed removing XSS blacklisting from Kohana for sake of escaping the output with htmlspecialchars() - HTML::chars() or using HTMLpurifier in case you really need to let some HTML in.

Since 3.1, Security doesn't have the xss_clean() method by default, you'll have to install shadowhand's HTMLpurifier module for securing input strings (by adding the submodule from github, putting it in modules and enabling it in bootstrap).

The module itself will override default Security class and add the xss_clean() method which uses HTMLpurifier for escaping. There is also a config file for the module where you can set everything up on your application level. No input escaping is done "automatically" for many reasons; overhead, consistency, etc.

As Request was pretty much rewritten in this version to match the RFC 2616 and get even more powerful HMVC, you'll be accessing your query string vars with Request::query() [ $this->request->query() inside of your controllers ], but there is still no escaping done on that side (each request can have it's own headers, POST, GET, etc.)

The easiest way for you to escape the current POST vars would be to do:

$safe = Arr::map('Security::xss_clean', $this->request->post());

P.S. Don't pay too much attention on nonsense written here about $this->request->param(), it's only for accessing the matched Route's parameters, not your GET or POST vars.


HTMLPurifier module for the Kohana Framework: https://github.com/shadowhand/purifier

Load de module in bootstrap and test:

$my_test = '<a href="#" onclick="window.location.href = \'http://google.com\'"></a>';
echo Security::xss_clean($my_test);
0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜