As part of the core TII development team, my responsibility is to work towards better Web 2.0 applications. This helps my team and me to provide future-ready IT solutions to our clients. A lot of my work revolves round YII, the high performance PHP framework that provides the right kind of flexibility for us to develop websites and applications of any scale or complexity.

YII not only follows OOP principles, but also conforms to advanced PHP features such as SPL classes and interfaces and late static binding. One key element that helps me tremendously is YII’s ability to thwart Cross Site Scripting (XSS) attack. This is made possible with ‘HtmlPurifier’ helper class, and the associated component, ‘CHtmlPurifier’.

Today I will share some thoughts on this XSS attack and how I have used YII’s powerful features to prevent this malicious attack for my development projects.

How the attack is carried out?

A website that doesn’t have filtering capability for user input or escape output, is prone to third party scripts to be attached to the input. It can be any script that can be executed on the client side (majorly using JavaScript). This malicious script then gathers data illegitimately from a user when he/she views the web page in a browser.

There are two types of XSS injections – non-persistent and persistent

1. Non-persistent – This is a common XSS found in most insecure web applications that works only once and only for one user. The data passed by the user is not stored externally. As compared to persistent code, the degree of threat is lower.

2. Persistent – This is a more serious XSS threat where data passed by user is stored in an external database and is available for access to other website users (usually hackers)

I will take up an example of non-persistent XSS injection and how YII actually helps in this case.

XSS attack and YII resolution

o when the PHP code is

public function checkname()

{

echo ‘This is test for ‘.$_GET[‘userid’].’!’;

}

..the URL shows /xss/text?userid=ABC. However will malicious code attached the URL will look like

/xss/test?userid=<script>alert(‘HACKED’);</script>

..and the result will be an alert dialog box with the words ‘HACKED’

How YII helps?

At a very high level, the CHtmlPurifier that encapsulates the HtmlPurifier class, removes all malicious code with a rigorous audit against a secure whitelist and ensures that the code is W3C standards compliant.

public function checkname()

{

echo ‘This is test for ‘.CHtml::encode(.$_GET[‘userid’]).’!’;

}

… the result will now show “This is test for <script>alert(‘XSS’);</script>!”

This way you can escape dynamic data and prevent XSS code injection.

Lets’ now go one step ahead and look at how to pass HTML code and show a code’s implementation rather than the code itself. Using CHtml::encode will read the HTML code literally. What we will need is the superior performance of YII. This framework provides the built-in HtmlPurifier helper class that allows passing of HTML code present within the beginWidget/endWidget tag

public function checkname()

{

$this->beginWidget(‘CHtmlPurifier’); echo $_GET(‘html’);

$this->endWidget();

}

Now you can implement the html action using the URL :

/xss/html?html= This is, <em>username</em>!<script>alert(‘XSS’)</script>

and the output on the page will be:

This is, username!

As you can see the ‘emphasis’ tag now renders correctly on the screen.

Constructing the HtmlPurifier

Setting up and configuring the HtmlPurifier is important to enhance the functionality and usability across the code.

1. Usage as a class

$p = new CHtmlPurifier();

$p->options = array(‘URI.AllowedSchemes’=>array(

‘http’ => true,

‘https’ => true,

));

$text = $p->purify($text);

2. Usage as validation rule

array(‘text’,’filter’,’filter’=>array($obj=new CHtmlPurifier(),’purify’)),

Another important point to note is that HtmlPurifier is a big package and can gobble up valuable system resources. A work around can be to

1. Caching the purification result, or

2. Purifying the user input before it is saved to the database.

To wrap up

My experience with YII has been highly satisfactory. It has proven itself as a stable PHP framework that helps us to employ it in any web application project of any scale, size or complexity. Its robust performance even in face of malicious XSS injection attacks helps to deliver stable IT solutions to your clients, without worrying about external hacks or attacks. This is possible due to the in-built HtmlPurifier, the standards-compliant HTML filer library written in PHP.