O Guia Definitivo do Yii 1.1
O Guia Definitivo do Yii 1.1
O Guia Definitivo do Yii 1.1
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Cross-site scripting (also known as XSS) occurs when a web application gathers malicious<br />
data from a user. Often attackers will inject JavaScript, VBScript, ActiveX, HTML, or Flash<br />
into a vulnerable application to fool other application users and gather data from them. For<br />
example, a poorly design forum system may display user input in forum posts without any<br />
checking. An attacker can then inject a piece of malicious JavaScript code into a post so<br />
that when other users read this post, the JavaScript runs unexpectedly on their computers.<br />
One of the most important measures to prevent XSS attacks is to check user input before<br />
displaying them. One can <strong>do</strong> HTML-encoding with the user input to achieve this goal.<br />
However, in some situations, HTML-encoding may not be preferable because it disables<br />
all HTML tags.<br />
<strong>Yii</strong> incorporates the work of HTMLPurifier and provides developers with a useful<br />
component called CHtmlPurifier that encapsulates HTMLPurifier. This component is<br />
capable of removing all malicious code with a thoroughly audited, secure yet permissive<br />
whitelist and making sure the filtered content is standard-compliant.<br />
The CHtmlPurifier component can be used as either a widget or a filter. When used as a<br />
widget, CHtmlPurifier will purify contents displayed in its body in a view. For example,<br />
<br />
...display user-entered content here...<br />
<br />
Cross-site Request Forgery Prevention<br />
Cross-Site Request Forgery (CSRF) attacks occur when a malicious web site causes a<br />
user's web browser to perform an unwanted action on a trusted site. For example, a<br />
malicious web site has a page that contains an image tag whose src points to a banking<br />
site: http://bank.example/withdraw?transfer=10000&to=someone. If a user who has a login<br />
cookie for the banking site happens to visit this malicious page, the action of transferring<br />
10000 <strong>do</strong>llars to someone will be executed. Contrary to cross-site, which exploits the trust<br />
a user has for a particular site, CSRF exploits the trust that a site has for a particular user.<br />
To prevent CSRF attacks, it is important to abide to the rule that GET requests should only<br />
be allowed to retrieve data rather than modify any data on the server. And for POST<br />
requests, they should include some ran<strong>do</strong>m value which can be recognized by the server<br />
to ensure the form is submitted from and the result is sent back to the same origin.<br />
<strong>Yii</strong> implements a CSRF prevention scheme to help defeat POST-based attacks. It is based<br />
on storing a ran<strong>do</strong>m value in a cookie and comparing this value with the value submitted<br />
via the POST request.<br />
By default, the CSRF prevention is disabled. To enable it, configure the CHttpRequest<br />
application component in the application configuration as follows,