I am writing a web app in PHP that calls a couple API's. The content from these API's cannot be trusted and I want to filter it for XSS before displaying it to the user. Which MVC layer is appropriate to perform the XSS filter?
Asked
Active
Viewed 387 times
3 Answers
3
Presentation layer. View instances to be exact. Before they assign values to templates.
The XSS is something, that is tied to the format of response. For example, if your view is creating a JSON response, it will not have the same potential weaknesses as HTML response. Which in turn will be completely different from checks, that you do before sending only HTTP header as a response.
P.S. Views are not templates.
tereško
- 58,060
- 25
- 98
- 150
-
What are you referring to when you say, "Before they assign values to templates." Perhaps you could you give an example of what you mean? – Justin Aug 13 '12 at 04:33
-
Views are classes/objects which in MVC and MVC-inspired patterns contain the part of logic which governs the response and visualization. View acquires information from model layer (in classical MVC and Model2 MVC view requests information from model , in MVVM and MVP the controller-like structure requests it from model layer and then passes on to view), and then, based on that information, view decides which templates to use or even if templates are necessary because all you need is HTTP header. – tereško Aug 13 '12 at 04:42
-
@Justin , it is common misconception, that views are just dumb templates. It was popularized by frameworks, which focused on fast prototyping (as in , "generation of throw-away code"). – tereško Aug 13 '12 at 04:45
-
I know what a view is in MVC. In a web app, it is where you write HTML. What I don't understand is what you mean by templates? I am using CodeIgniter as my MVC framework, can you point to some example of when a view would 'decide' on a template? Deciding what 'template' to use to display something seems like a function of the controller. – Justin Aug 13 '12 at 04:49
-
Controller in MVC is responsible for changing state of model layer and view. And view decides which *multiple* templates to use for creating response. And if you do not understand what i mean with "template", [this article](http://codeangel.org/articles/simple-php-template-engine.html) might help. – tereško Aug 13 '12 at 04:55
-
Ok, I think I see what you are saying. In the example in that article, the output would be filtered in content.php. – Justin Aug 13 '12 at 17:09
-
I agree that the answer is XSS should be filtered in the View of MVC. The info on templates is irrelevant to the question. A template is still a view and if you have untrusted data being sent to it (such as a page title) you'd filter that data in the view (regardless if it is a template). – Justin Aug 14 '12 at 21:42
0
I'd say the answer is a bit complex and also depends a bit on preference. The first step in filtering would be input validation. We can choose to do input validation either in the controller before we assign the values to our model, or we can put the validation rules in the model itself by annotating the models fields, and have the model validate itself.
Now input validation is about making sure data is valid according to our domain. For a username field, we probably don't want a script-tag inside of it. However, there are places where a script-tag is perfectly valid data without even being an attack. One such example is this very site, stackoverflow. For a commment or question field we need to allow script tag, because they are valid as user data. However we need to make sure that the script isn't interpreted as code, but stays data. This takes us to the second part of the answer - encoding.
When we encode, we need to encode depending on context. If we do output inside a javascript variable like this:
<script> var a = 'INPUT_HERE'</script>
we need to use a different encoding than if we are outputting between HTML tags:
<h1>INPUT_HERE</h1>
Or inside html attributes or withing CSS....
I highly recommend the OWASP Abridged XSS Prevention Cheat sheet: https://www.owasp.org/index.php/Abridged_XSS_Prevention_Cheat_Sheet
What this means is that we need to vary the econding depending on where we output the data, and we could ouput the same data in different locations within the same view or even within the same template.
So encoding needs to happen where we are putting the data into HTML, because that's where we know which encoding is the correct one to use.
Erlend
- 4,336
- 22
- 25
-
I agree. The particular issue I am facing is pulling info from the Twitter API. I am not involved with the input phase, but I imagine they are diligently filtering. Still, in their docs, they tell developers to filter all output from the twitter API... So I did, in the View layer of my MVC. – Justin Aug 14 '12 at 21:59
0
I found some simliar questions on Stack Overflow and an answer by Quentin seems like the best way to answer this question. I'd summarize his answer as this:
Data should be sanitized just before it is used.
Since I am getting untrusted data from an API and displaying it in a View, I filter it for XSS there.
