Reputation: 171
CakePHP : Prevent XSS attacks
I have developed an application in cakephp and what i found is the stored XSS attack in my application. To handle this attack i added the Sanitizing::clean in my application which converts the special characters into HTML code.
But when any string, which is sanitized, is used in a link $this->Html->link then that string gets encoded again due to default escape=true in cakephp. < turns &:lt which results in < instead of just <
Possible solution is to add the escape=false in $this->Html->link but i have created the application so there are too many places where html->link exists so it won't be efficient to go and change everywhere.
Please help if there is any other solution exist??
Upvotes: 1
Views: 3227
Answers (1)
Reputation: 8100
Make a custom helper like MyHtmlHelper which extends HtmlHelper and override the link() method.
In your controller include the using the aliasing feature like public $helpers = array('Html' => array('className' => 'MyHtmlHelper')); so you that $this->Html in view will use your custom helper's instance and you won't have to make any changes in view files.
Upvotes: 2
Related Questions
- Codeigniter XSS protection
- Laravel XSS Attack Protection
- PHP: How to totally prevent XSS attacks?
- Prevent XSS attacks
- New Way To Prevent XSS Attacks
- Cakephp Security
- CakePHP Security - Prevent Form Injection
- CakePHP 1.3: Protect Forms From XSS
- CakePhp: Avoid XSS attack keeping the ease of use of cake
- Prevent Code injection and Sql/Mysql injection in CAKEphp