VOOZH about

URL: http://symphonyextensions.com/extensions/xssfilter/

⇱ Cross-Site Scripting (XSS) Filter — Protect yourself against XSS and XSRF attacks in form submissions. — Symphony CMS Extensions

Symphony Extensions

Symphony CMS

Follow @symextensions for updates to the 412 extensions that we track. What is this?

What is symphonyextensions.com?

Symphony Extensions tracks Symphony CMS extensions that are hosted on Github.

How do I submit an extension?

Host your extension on Github and make sure the repository has a good README and an extension.meta.xml file. Then sign in to this site using your GitHub profile where you will see a list of your public repositories. Pick one, and add it to the site. When you make changes, just update the XML file in your repository and we do the rest.

What is an extension.meta.xml file?

It is an XML file that you add to your repository to describe your extension. You can include a name and description, developer contact details, version history, changelog, dependencies and more. Please read the documentation for a full list. You can use the lint tool to check your XML against the schema before submitting your extension to the site.

Who runs this site?

This site is now run by the community @symextensions. The site was created by nickdunn. Contact him at @nickdunn

Found a bug?

Please report it here.

1.5.0releasedCross-Site Scripting (XSS) Filter

Protect yourself against XSS and XSRF attacks in form submissions.

Clone URLhttps://github.com/symphonycms/xssfilter.git

Add as a submodulegit submodule add https://github.com/symphonycms/xssfilter.git extensions/xssfilter --recursive

Download
.tar.gz, .zip
Links
Github, Homepage, Issues, Wiki
Translations
de, ru

👁 symphonycms
Symphony CMSsymphonycms15 extensions

Compatibility

2.x.x2.1.x2.2.x2.3.x2.4.x2.5.x2.6.x2.7.02.7.12.7.22.7.32.7.42.7.52.7.62.7.72.7.82.7.92.7.10
No1.21.21.21.5.01.5.01.5.01.5.01.5.01.5.01.5.01.5.01.5.01.5.01.5.01.5.01.5.01.5.0
Symphony VersionExtension version
2.7.101.5.0
2.7.91.5.0
2.7.81.5.0
2.7.71.5.0
2.7.61.5.0
2.7.51.5.0
2.7.41.5.0
2.7.31.5.0
2.7.21.5.0
2.7.11.5.0
2.7.01.5.0
2.6.x1.5.0
2.5.x1.5.0
2.4.x1.5.0
2.3.x1.2
2.2.x1.2
2.1.x1.2
2.x.xNo

Readme

Cross-Site Scripting (XSS) Filter

Description

Protect yourself against XSS and XSRF attacks in form submissions.

Installation

  1. Place the xssfilter folder in your Symphony extensions directory.
  2. Go to System > Extensions, select "Cross-Site Scripting (XSS) Filter", choose "Enable" from the with-selected menu, then click Apply.

Usage

XSS

  1. Go to Blueprints > Components and click the name of the event whose input you want to filter.
  2. In the "Filters" section, select "Filter XSS: Fail if malicious input is detected"
  3. Save your event
  4. Pirouette

Additionally, the XSS Filter can be used directly in your extensions via Extension_XSSFilter::detectXSS($string) which takes a string and returns boolean if XSS is detected.

Frontend Utilities

As of XSS Filter 1.4, this extension provides five context aware functions that can be used on the frontend to filter malicious data. These functions are designed to be used in five areas, attributes (attributeContextCleaner), style (styleContextCleaner), script (scriptContextCleaner), url (urlContextCleaner) and html (htmlContextCleaner). Thanks to Ashar Javed (@soaj1664ashar) for reaching out and sharing his work.

Example usage:

<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet version="1.0"
 xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl" extension-element-prefixes="php">

 <xsl:template match="/">
 <p>Hello there, <a href="{php:functionString('urlContextCleaner', '$root')}">click on my XSS safe link</a></p>
 </xsl:template>

</xsl:stylesheet>

Notes

The XSS Filter, as mentioned above is very strict. It defaults to a high level of protection, and users who want to be more permissive with their input should be savvy enough to filter that input accordingly before rendering the content on the front end.

The filter disallows the following HTML elements: meta, link, style, script, embed, object, iframe, frame, frameset, title, and a few other more obscure ones.

XSRF

  1. Go to Blueprints > Components and click the name of the event whose input you want to filter.
  2. In the "Filters" section, select "Validate XSRF: Ensure request was passed with a XSRF token"
  3. Save your event
  4. In your POST request, ensure $_POST['xsrf'] is set with a valid token (available via params {$cookie-xsrf-token})

Additionally, the XSRF Filter can be used directly in your extensions via XSRF::validateToken($token) which takes a string and returns boolean if it is not valid.

Version history

1.5.005 April 2017

Symphony 2.4 to 2.x.x

  • Replaced deprecated preg_replace /e in extension.driver.php
  • Added German translation

1.4.206 March 2016

Symphony 2.4 to 2.x.x

  • Updated compatibility info

1.4.108 February 2015

Requires Symphony 2.4

  • Small patch to the attribute context cleaner

1.428 April 2014

Requires Symphony 2.4

  • Update extension to include context aware XSS functions for the Frontend. Big thanks to Ashar Javed

1.328 April 2014

Requires Symphony 2.4

  • Update extension to include a Validate XSRF filter

1.201 July 2013

Symphony 2.0.3 to 2.3.6

  • Add Russian translation
  • Additional detection logic adding for feed and data protocols
  • Update all links to getsymphony.com

1.1.121 May 2012

Requires Symphony 2.0.3

  • More robust checking to handle upload fields and integers

1.129 May 2011

Requires Symphony 2.0.3

  • Static detectXSS function so that logic can be used by other extensions outside of the Event Options context
  • Events with the XSS Filter can now handle nested field data to an infinite level
  • Slight performance tweak if XSS is detected
  • Additional detection logic adding for livescript and mocha protocols

1.008 October 2010