4

I'm using Symfony2 witch Sencha Ext JS as a frontend.

I found that my forms are vulnerable to XSS attacks. I'm aware, of that Symfony2 have mechanisms, that secure our data from this attacks, however this mechanisms are mostly using templates for this which i don't use.

I'm collecting plenty of data from fronted fields, that are passed to backend. I wish to fix this issue with as less effort as possible.

My goal is to secure my application before data gets to database. And there is 2 choices that I have on my mind.

  • First is to add strip_tag function on lifecycle event listeners, that listen data preFlush.

  • Second is to add strip_tags on entity level on selected vulnerable fields.

Both choices seems to me not sufficient, because of quantity of code.

Is there maybe a good idea to add some code in Sencha frontend? I'm not sure what to do.

Thanks for advices!

Szaman86
  • 161
  • 2
  • 9
  • 1
    If you believe Symfony2 has a security vulnerability, you should tell them straight away privately, and not report it here. However, it is more likely that the vuln appears by virtue of how you are using Symfony2, in which case readers will probably need to see your code. – halfer Feb 15 '15 at 13:21
  • My point was that mechanism is only available thorough template in Symfony2. My question regards security policy in Symfony regarding XSS attacks without template. – Szaman86 Feb 15 '15 at 13:43
  • Do you mean also without php? – Adib Aroui Feb 15 '15 at 13:49
  • I may use PHP freely if that's what you mean. I need just advise on witch part of app I should add protection. – Szaman86 Feb 15 '15 at 13:57
  • You are messing a bit, simplifying Symfony's form can apply a validation that results in a series of error report. Is up to you to use a template or throw an exception or return an error message. The best advice I can give you (but I'm not a security expert) is to validate any user input. Can be done with builtin php filters, for example see http://php.net/manual/it/function.filter-input.php – lcapra Feb 15 '15 at 15:14

1 Answers1

2

If you don't use a templating engine (which I highly recommend in order to prevent XSS attacks), you need to escape all user data by using this:

htmlspecialchars($string, ENT_QUOTES);

You may add another security layer by implementing Content Security Policy and its nonce argument - it's a randomly generated long string that you need to add to every script tag as follows:

<script nonce="myRandomString"></script>

Then, just set a new CSP header in PHP:

header('Content-Security-Policy', 'script-src 'nonce-myRandomString' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https: http:; object-src 'none');

This will prevent running a foreign script in modern browsers (namely newer versions of Chrome; but CSP 3 will be implemented in others soon, hopefully). So be careful, it's not 100%, just a safety net.

Beware, that the nonce string MUST be different on each request. You can achieve this by a Symfony listener. I wrote a detailed tutorial on the Symfony implementation of CSP.

Ivan Kvasnica
  • 776
  • 5
  • 13