|
Output Escaping / XSS protection |
Symfony is just great, but don't stop thinking for yourself!
After working with this magnificent php framework on several projects, i can absolutely say that i'm hooked to this great tool. It takes a lot of coding out of my hands so i can spend time on the business logic, instead of doing the standard stuff over and over again.
But today i was shocked to find out that one of the standard settings was configured differently than i initially thought it would be. I'm talking about Output escaping, the main thing you should work on to protect against XSS (Cross site scripting).
Initially i was under the impression that symfony would take care of all output escaping itself, so i had less things to worry about, but this proved to be only half the truth.
In the application settings ( myapp/config/settings.yml ) the output escaping setting is standard set to 'bc' or 'Backwards compatible'.
This means that variables are *not* escaped, but the escaped values will be available through the $sf_data container. Since i never take my variables from the $sf_data container, i've always been using the unescaped variables without knowing it!
Boy, what was i thinking?
Fortunately it is easy to solve this issue. All i have to do is to change the default values to the following:
all:
.settings:
escaping_strategy: both
escaping_method: ESC_ENTITIES
Now the variables are escaped and accessible like i was used to, and they are available in the $sf_data container
Better yet, i think it would be wise to change it to the following settings:
all:
.settings:
escaping_strategy: on
escaping_method: ESC_ENTITIES
In this case, the variables will *only* be available through the $sf_data container and i can choose if i want to use the escaped or non-escaped values.
You can also find this information in the great Symfony book! Apparently it is wise to read it all the way :)
|
