ViewValue Plugin for CakePHP
This plugin let your CakePHP application secure against XSS injection by escaping View variables automatically.
Requirements
- PHP >= 5.5
- CakePHP >= 2.6
Setup
In Config/bootstrap.php
:
#Load ViewValue plugin
CakePlugin::load('ViewValue');
and in Controller/AppController.php
:
public $helpers = array('ViewValue.ViewValue');
notice
If variables are already escaped by using h()
helper in your view file, you should remove h()
.
They might to be cause of double escaping.
Description
This plugin convert View variable whose type is String
/Array
/Object
into instance of StringViewValue
/ArrayViewValue
/ObjectViewValue
.
They act as their original variable type.
If need arise, you can get raw value by calling raw()
method in view file.
Sample code
StringViewValue
act as string.
#Controller/SampleController.php
public function index() {
$this->set('xssstr', '<script>alert(0)</script>');
}
<!-- View/Smaple/index.ctp -->
<?php echo $xssstr; ?> <!-- <script>alert(0)</script> (display correctly in browser) -->
<?php echo $xssstr->raw(); ?> <!-- <script>alert(0)</script> (script is triggered) -->
and ArrayViewValue
act as array.
#Controller/SampleController.php
public function index() {
$this->set('arr', array('<script>alert(0)</script>', 'hoge', array('fuga', array('hoge', 'fuga'))));
}
<!-- View/Smaple/index.ctp -->
<?php echo $arr[0]; ?> <!-- <script>alert(0)</script> (display correctly in browser) -->
<?php var_dump($arr instanceof ArrayViewValue) ?> <!-- true -->
<?php var_dump($arr[0] instanceof StringViewValue) ?> <!-- true -->
<!-- `$arr[0]` is converted to `StringViewValue`. -->
<?php var_dump($arr[2][1] instanceof ArrayViewValue) ?> <!-- true -->
<!-- The value of any hierarchy will be converted into BaseViewValue inheritance. -->
<!-- off course you can use foreach -->
<?php
foreach ($arr as $val) {
echo $val;
}
?>