How can I prevent XSS when I show data from a textarea with a wyswyg editor in Symfony2?
I have a textarea with tinyMCE editor. I can insert code for bold, italic, and after I can show the data in the browser with the twig filter raw:
{{miArticulo.contenido|raw}}
But when I write script in the textarea, for example, an alert, it is rendered in the browser too;
How Can I show only secure metas from HTML? I try surround with the twig filter autoescape, but I failed:
{% autoescape 'html' %}{{miArticulo.contenido|raw}}{% endautoescape %}
Can I show secure content con twig or I should try with other libraries such as HTMLPurifier
How can I prevent XSS when I show data from a textarea with a wyswyg editor in Symfony2?
I have a textarea with tinyMCE editor. I can insert code for bold, italic, and after I can show the data in the browser with the twig filter raw:
{{miArticulo.contenido|raw}}
But when I write script in the textarea, for example, an alert, it is rendered in the browser too;
How Can I show only secure metas from HTML? I try surround with the twig filter autoescape, but I failed:
{% autoescape 'html' %}{{miArticulo.contenido|raw}}{% endautoescape %}
Can I show secure content con twig or I should try with other libraries such as HTMLPurifier
Share Improve this question asked Mar 9, 2015 at 22:27 Giancarlo Ventura GranadosGiancarlo Ventura Granados 1,1804 gold badges14 silver badges31 bronze badges 6-
What about
{{miArticulo.contenido|escape('html')|raw}}? Isn't that available in Symphony2? twig.sensiolabs/doc/filters/escape.html – puelo Commented Mar 9, 2015 at 22:31 - I try it and all html is escaped, I would escape only insecure labels, such as <script> – Giancarlo Ventura Granados Commented Mar 9, 2015 at 22:40
-
Did you also try
escape('js')? – puelo Commented Mar 9, 2015 at 22:41 -
Yes, I try it and I get stranger output such as:
\x3Cp\x3E\x3Cstrong\x3– Giancarlo Ventura Granados Commented Mar 9, 2015 at 22:43 -
I am unable to find more information on the
jsescape strategy implemented in twig. Could be a bug. I think your best bet bees implementing your own custom escape strategy. twig.sensiolabs/doc/filters/escape.html#custom-escapers – puelo Commented Mar 9, 2015 at 22:52
2 Answers
Reset to default 4Besides using a templating engine like Twig, I highly suggest to implement the Content Security Policy nonce headers.
header('Content-Security-Policy', 'script-src 'nonce-randomNonceString' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https: http:; object-src 'none');
They forbid running other scripts than those explicitly whitelisted. A downside is that you need to add a randomly generated nonce argument to each <script> tag in your code.
I wrote a detailed tutorial how to implement CSP 3 with nonce in Symfony, so the nonce argument is generated automatically per each request. Feel free to use the solution.
In cases like this I am using this bundle:
https://github./Exercise/HTMLPurifierBundle
probably best performance you will get using it on the form when user sends HTML. (via form data transformer as described in docs)
No other option as far as I know will prevent it for all clever ways to put js in html.