3

I'm using Symfony2 / Twig / Doctrine.

I'm looking at security on my site and in particular preventing XSS attacks, but I can't see what more I can do.

  1. Persistent

    I use Doctrine and always ensure I make user input safe, refusing HTML, web addresses and email addresses etc. (if applicable, e.g. a comment box). I also use Twig (which I believe escapes output).

  2. Reflective

    My understanding is that anyone could send an email to someone with a link to any website that also injects JavaScript. That JS can of course do anything. That JS could have a login form be submitted to any web address and there is nothing you can do (other than hope stupid people don't click links from random people to my site's login page).

So unless you can prevent JS being injected, then what more can I do?

I don't believe you can prevent a site from running a JS script on another server (my valid JS comes from a CDN anyway which is on another server) and I don't think you can prevent a HTML form being submitted to another server.

I do believe that cross domain protection does prevent the injected JS calling an Ajax request though - but I haven't done anything about this, I just think that is how modern browsers work.

Is anything else in my hands? As long as I have done eveything else possible that's enough for me.

I suppose I'm wondering why there isn't much I can do about this when some people make a living out of advising on XSS protection. Maybe it's because I use Symfony2 / Twig / Doctrine?

Just looking for help to clarify my understanding.

Gottlieb Notschnabel
  • 9,408
  • 18
  • 74
  • 116
user2143356
  • 5,467
  • 19
  • 51
  • 95
  • xss flaws are generally out of oversight. you can do it all right, but one teeny weeny little flaw in that one ajax action that you didn't think about can go bam! That's why people are paid to read the code and analyze any defects. you can't always spot what's wrong with your own code – SoWhat Jul 20 '13 at 02:38
  • 1
    Don't *refuse* HTML, just make sure you encode everything before you output it. – Oliver Charlesworth Jul 20 '13 at 02:39
  • Thanks. So there's nothing more I can do? I'm okay to just trust Symfony2 / Twig / Doctrine, is that right? – user2143356 Jul 20 '13 at 02:40
  • Have you checked the [HTML Purifier](http://htmlpurifier.org/) out? There are several mentions on the Stack Overflow about it, that's why I'm personally considering using it as well. You can basically allow/disallow using of the desired html tags. – Andrej Mohar Oct 01 '13 at 14:46

1 Answers1

1

Content Security Policy solves the problem of injected javascript by banning any inline javascript and validating content sources.

Info: https://developer.mozilla.org/en-US/docs/Security/CSP/Using_Content_Security_Policy

Browser support: http://caniuse.com/contentsecuritypolicy

Dovydas Bartkevičius
  • 1,721
  • 13
  • 19