コンテキストのエスケープ
========================
Websites and web applications are vulnerable to XSS_ attacks and although PHP provides escaping functionality, in some contexts
it is not sufficient/appropriate. :doc:`Phalcon\\Escaper <../api/Phalcon_Escaper>` provides contextual escaping and is written in Zephir, providing
the minimal overhead when escaping different kinds of texts.
We designed this component based on the `XSS (Cross Site Scripting) Prevention Cheat Sheet`_ created by the OWASP_.
Additionally, this component relies on mbstring_ to support almost any charset.
To illustrate how this component works and why it is important, consider the following example:
.. code-block:: html+php
";
// Malicious CSS class name
$className = ";`(";
// Malicious CSS font name
$fontName = "Verdana\"";
// Malicious Javascript text
$javascriptText = "';Hello";
// Create an escaper
$e = new Escaper();
?>
escapeHtml($maliciousTitle); ?>
hello
Which produces the following:
.. code-block:: html
</title><script>alert(1)</script>
hello
Every text was escaped according to its context. Use the appropriate context is important to avoid XSS attacks.
HTMLのエスケープ
----------------
The most common situation when inserting unsafe data is between HTML tags:
.. code-block:: html
You can escape those data using the :code:`escapeHtml` method:
.. code-block:: html+php
myattack
'); ?>
Which produces:
.. code-block:: html
HTML属性のエスケープ
------------------------
Escaping HTML attributes is different from escaping HTML content. The escaper works by changing every non-alphanumeric
character to the form. This kind of escaping is intended to most simpler attributes excluding complex ones like 'href' or 'url':
.. code-block:: html
You can escape a HTML attribute by using the :code:`escapeHtmlAttr` method:
.. code-block:: html+php
">
Hello
|
Which produces:
.. code-block:: html
URLのエスケープ
---------------
Some HTML attributes like 'href' or 'url' need to be escaped differently:
.. code-block:: html
Some link
You can escape a HTML attribute by using the :code:`escapeUrl` method:
.. code-block:: html+php
Some link
Which produces:
.. code-block:: html
Some link
CSSのエスケープ
---------------
CSS identifiers/values can be escaped too:
.. code-block:: html
Some link
You can escape a CSS identifiers/value by using the :code:`escapeCss` method:
.. code-block:: html+php
Some link
Which produces:
.. code-block:: html
Some link
Javascriptのエスケープ
----------------------
Strings to be inserted into JavaScript code also must be properly escaped:
.. code-block:: html
You can escape JavaScript code by using the :code:`escapeJs` method:
.. code-block:: html+php
.. code-block:: html
.. _OWASP: https://www.owasp.org
.. _XSS: https://www.owasp.org/index.php/XSS
.. _`XSS (Cross Site Scripting) Prevention Cheat Sheet`: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
.. _mbstring: http://php.net/manual/en/book.mbstring.php