symphonycms / xssfilter Goto Github PK

View Code? Open in Web Editor NEW

27.0 12.0 18.0 20 KB

An XSS filter for Events in Symphony CMS

Home Page: http://symphonyextensions.com/extensions/xssfilter/

License: Other

PHP 100.00%

symphony-cms symphony-cms-extension

xssfilter's Introduction

Cross-Site Scripting (XSS) Filter

Description

Protect yourself against XSS and XSRF attacks in form submissions.

Installation

Place the xssfilter folder in your Symphony extensions directory.
Go to System > Extensions, select "Cross-Site Scripting (XSS) Filter", choose "Enable" from the with-selected menu, then click Apply.

Usage

XSS

Go to Blueprints > Components and click the name of the event whose input you want to filter.
In the "Filters" section, select "Filter XSS: Fail if malicious input is detected"
Save your event
Pirouette

Additionally, the XSS Filter can be used directly in your extensions via Extension_XSSFilter::detectXSS($string) which takes a string and returns boolean if XSS is detected.

Frontend Utilities

As of XSS Filter 1.4, this extension provides five context aware functions that can be used on the frontend to filter malicious data. These functions are designed to be used in five areas, attributes (attributeContextCleaner), style (styleContextCleaner), script (scriptContextCleaner), url (urlContextCleaner) and html (htmlContextCleaner). Thanks to Ashar Javed (@soaj1664ashar) for reaching out and sharing his work.

Example usage:

<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet version="1.0"
	xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl" extension-element-prefixes="php">

	<xsl:template match="/">
		<p>Hello there, <a href="{php:functionString('urlContextCleaner', '$root')}">click on my XSS safe link</a></p>
	</xsl:template>

</xsl:stylesheet>

Notes

The XSS Filter, as mentioned above is very strict. It defaults to a high level of protection, and users who want to be more permissive with their input should be savvy enough to filter that input accordingly before rendering the content on the front end.

The filter disallows the following HTML elements: meta, link, style, script, embed, object, iframe, frame, frameset, title, and a few other more obscure ones.

XSRF

Go to Blueprints > Components and click the name of the event whose input you want to filter.
In the "Filters" section, select "Validate XSRF: Ensure request was passed with a XSRF token"
Save your event
In your POST request, ensure $_POST['xsrf'] is set with a valid token (available via params {$cookie-xsrf-token})

Additionally, the XSRF Filter can be used directly in your extensions via XSRF::validateToken($token) which takes a string and returns boolean if it is not valid.

xssfilter's People

Contributors

Stargazers

Watchers

Forkers

nickdunn allen alexbirukov alexblex tecumsehmaverick caliskanfurkan soaj1664 wjn lighter avanteweb icesword-syy animaux alexnantel88 rezaduty emmacharp

xssfilter's Issues

XSRF token always retuning invalid on front-end

Maybe I'm not using it correctly - but a form I'm working on has started failing on every submit:

<filter name="xsrf" status="failed">Request was rejected for having an invalid cross-site request forgery token.</filter>

Does it have something to do with me being logged into the backend?

Passed parameter is not a string

After enabling the xssfilter on some of my events i get the following error after a 'suposed' successfull save;
'Passed parameter is not a string' (extensiondriver.php line 113) (screenshot)
When entering mallicious code in the textfield it correctly returns the 'filter/@status = 'failed' message in the result xml.
(issue on symphony forum)

Sym 3.0.0 - Fatal Error: Call to undefined method FrontendPage::registerPHPFunction()

An error occurred in /path-redacted/extensions/xssfilter/extension.driver.php around line 97.

96         public static function FrontendParamsResolve(array &$context) {
97             Frontend::Page()->registerPHPFunction(array(

Backtrace
PHP 7.4.12

[/path-redacted/symphony/lib/toolkit/class.extensionmanager.php:754]
    Extension_XSSFilter::FrontendParamsResolve();
[/path-redacted/symphony/lib/toolkit/class.frontendpage.php:442]
    ExtensionManager::notifyMembers();
[/path-redacted/symphony/lib/toolkit/class.frontendpage.php:197]
    FrontendPage->__buildPage();
[/path-redacted/symphony/lib/core/class.frontend.php:105]
    FrontendPage->generate();
[/path-redacted/symphony/lib/boot/func.utilities.php:235]
    Frontend->display();
[/path-redacted/symphony/lib/boot/func.utilities.php:224]
    symphony_launcher();
[/path-redacted/index.php:16]
    symphony();

Database Query Log
MYSQL 10.3.27-MariaDB

[0.0002] SELECT SQL_CACHE VERSION();
[0.0001] SET time_zone = :value;
[0.0006] SHOW COLUMNS FROM `sym_extensions_delegates`
    LIKE :like;
[0.0005] SELECT SQL_CACHE `t1`.`name`, `t2`.`page`, `t2`.`delegate`, `t2`.`callback`, `t2`.`order`
    FROM `sym_extensions` AS `t1` INNER JOIN `sym_extensions_delegates` AS `t2` ON `t1`.`id` = `t2`.`extension_id`
    WHERE `t1`.`status` = :t1_status
    ORDER BY `t2`.`delegate` ASC, `t2`.`order` ASC, `t1`.`name` ASC;
[0.0003] SELECT SQL_CACHE `session_data`
    FROM `sym_sessions`
    WHERE `session` = :session
    LIMIT 1;
[0.0003] SELECT SQL_CACHE `a`.*
    FROM `sym_authors` AS `a`
    WHERE `a`.`username` = :a_username
    ORDER BY `a`.`id` ASC
    LIMIT 1;
[0.0016] UPDATE `sym_authors`
    SET `last_seen` = :last_seen
    WHERE `id` = :id;
[0.0004] SELECT SQL_CACHE `p`.*
    FROM `sym_pages` AS `p` INNER JOIN `sym_pages_types` AS `pt` ON `p`.`id` = `pt`.`page_id`
    WHERE `pt`.`type` = :pt_type
    ORDER BY `p`.`sortorder` ASC
    LIMIT 1;
[0.0003] SELECT SQL_CACHE `pt`.`type`
    FROM `sym_pages_types` AS `pt`
    WHERE `pt`.`page_id` = :pt_page_id
    GROUP BY `pt`.`type`
    ORDER BY `pt`.`type` ASC;

Commit 4cae482 from PR #9 appears to fix it.

Passed parameter is not a string (=NULL)

Using Symphony 2.2.5 and the latest extension code, the "Passed parameter is not a string" error also occurs on empty input fields. Obviously Symphony passes a NULL value in this case. I managed to fix this by setting NULL values to empty strings. I added this to the fix for issue #1, like so (line 112):

if(!is_string($string)) {
    if(is_null($string)) {
        $string = '';
    }
    elseif(is_numeric($string)) {
        $string = (string)$string;
    }
    else {
        throw new Exception(__('Passed parameter is not a string.'));
    }
}

I am not sure if anybody knows a more elegant solution.

(I wonder why nobody has ever noticed this. Is this extension really used "in the wild"?)

XSRF example code doesn't show on page load

Minor quirk.

The XSRF example code on an event only seems to appear when the user selects it for the first time (or when they unselect and reselect it when viewing the event), on page load it disappears.

Seems there isn't a check at runtime to show it, and it only shows when selected from the multiselect (my guess).