Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

PHP

Mayur Pande
PLUS
Mayur Pande
Courses Plus Student 11,711 Points

Filter input escape output xss

After watching Alena Holligan php media library course. I have started to implement cross site scripting prevention (xss) within my code.

However as I am using symfony for this particular project (next project going back to plain old php, tried to swim in the deep end too early).

I have read up that nothing needs to be done for xss in symfony as it is already protected from it, is this case? As I want to make sure that I am protected from attacks.

Also as symfony sets up the code in the MVC style, I have my validations set up in various places is this ok?

I am also using a twig file, so for escaping output would I use this syntax over htmlspecialchars()

Here is what my controller looks like

$app->post('/addTimetable', function(Request $request) use($app) {

    $tutoremail = $app['request']->get('tutoremail');
    $starttime = $app['request']->get('starttime');
    $endtime = $app['request']->get('endtime');
    $location = $app['request']->get('location');
    $class = $app['request']->get('class');
    $level = $app['request']->get('level');
    $topic = $app['request']->get('topic');
    $capacity = $app['request']->get('capacity');
    $postcode = $app['request']->get('postcode');
    $post = array($tutoremail,$starttime,$endtime,$location,$class,$level,$topic,$capacity,$postcode);

    $tutoremail = trim(filter_var($tutoremail,FILTER_SANITIZE_EMAIL));
    //not sure how to filter datetime
    $location = trim(filter_var($location,FILTER_SANITIZE_STRING));
    $class = trim(filter_var($class,FILTER_SANITIZE_STRING));
    $level = trim(filter_var($level,FILTER_SANITIZE_STRING));
    $topic = trim(filter_var($topic,FILTER_SANITIZE_STRING));
    $capacity = trim(filter_var($capacity,FILTER_SANITIZE_NUMBER_INT));

    if(!(isset($tutoremail)) || !(isset($starttime)) || !(isset($endtime)) || !(isset($location)) || !(isset($class)) || !(isset($level)) || !(isset($topic)) || !(isset($capacity))){
        $app['session']->getFlashBag()->add('error','Please fill in all fields');
        return $app->redirect('/admin');
    }else if($app['auth']->spamBotCheck($post)){
        $app['session']->getFlashBag()->add('error', 'There was a problem with the information you entered');
        return $app->redirect('/admin');
    }else if($app['auth']->honeyPotCheck($postcode)){
        $app['session']->getFlashBag()->add('error','Your form submission has an error');
        return $app->redirect('/admin');
    }else if(is_numeric($capacity) && $app['admin']->add_timetable($tutoremail,$starttime,$endtime,$location,$class,$level,$topic,$capacity)){
        $app['session']->getFlashBag()->add('success','Success! New lesson added to timetable');
        return $app->redirect('/admin');
    } else {
        $app['session']->getFlashBag()->add('error','Error! New lesson not added to timetable');
        return $app->redirect('/admin');
    }
});

Here is the model code for the methods spamBotCheck and honeyPotCheck

public function spamBotCheck($post){
        foreach($post as $value){
            if(stripos($value,'Content-Type:') !== FALSE){
                return true;
            }else{
                return false;
            }
        }

}

public function honeyPotCheck($postcode){
    if($postcode != ""){
        return true;
    }else{
        return false;
    }
}

and lastly here is my form from my twig file

<form class="form-signin collapse" id="demo" method="post" action="/addTimetable">

    <label for="ad_tutoremail" class="sr-only">Tutor Email:</label>
    <input class="form-control" name="tutoremail" type="email" id="ad_tutoremail" placeholder="Tutoremail" required>

    <label for="ad_starttime" class="sr-only">Starttime:</label>
    <input class="form-control" name="starttime" type="text" id="ad_starttime" placeholder="Starttime" required>

    <label for="ad_endtime" class="sr-only">Endtime:</label>
    <input class="form-control" name="endtime" type="text" id="ad_endtime" placeholder="Endtime" required>

    <label for="ad_location" class="sr-only">Location:</label>
    <input class="form-control" name="location" type="text" id="ad_location" placeholder="Location" required>

    <label for="ad_class" class="sr-only">Class:</label>
    <input class="form-control" name="class" type="text" id="ad_class" placeholder="Class" required>

    <label for="ad_level" class="sr-only">Level:</label>
    <input class="form-control" name="level" type="text" id="ad_level" placeholder="Level" required>

    <label for="ad_topic" class="sr-only">Topic:</label>
    <input class="form-control" name="topic" type="text"id="ad_topic" placeholder="Topic" required>

    <label for="ad_capacity" class="sr-only">Capacity:</label>
    <input class="form-control" name="capacity" type="text" id="ad_capacity" placeholder="Capacity" required>

    <div class="spamCheck">
        <label for="inputPostcode" class=sr-only">Postcode</label>
        <input type="text" id="inputPostcode" class="form-control" name="postcode" placeholder="Leave this field blank" />
    </div>

    <input class="createButton" type="submit" value="Create">

</form>

Would this be sufficient to prevent xss? Also in my controller code I was unsure how to filter the input of a datetime is there a way to do this?

Many thanks, sorry for long explanation.

1 Answer

Alena Holligan
STAFF
Alena Holligan
Treehouse Teacher

The quick answer is that if you are using symfony properly you don't have to worry :) here is a good article that explains it a little more. I know it's symfony 2 but it still applies and it's well structured :)

https://www.sas.upenn.edu/computing/infosec_symfony2