framework icon indicating copy to clipboard operation
framework copied to clipboard
verified publisher icon alphazframework

Security features

Open peter279k opened this issue 6 years ago • 5 comments

As title, the security components is important to this framework.

According to the OWASP, we need to consider the following security issues:

  • [x] XSS.
  • [ ] SQL injection.
  • [ ] CSRF (it mentioned on issue #140).

peter279k avatar Feb 27 '19 02:02 peter279k

About

  • XSS its already in input class you may see => https://github.com/zestframework/Zest_Framework/blob/master/src/Input/Input.php#L133

and CSRF and Sql injections need to implemented

lablnet avatar Feb 27 '19 02:02 lablnet

About

* XSS
  its already in input class you may see => https://github.com/zestframework/Zest_Framework/blob/master/src/Input/Input.php#L133

and CSRF and Sql injections need to implemented

@Lablnet, thank you for your reply.

After tracing the code, it seems that using the htmlspecialchars to prevent the XSS attack.

Do you consider the htmlentities function?

Here is this function explanation:

This function is identical to htmlspecialchars() in all ways, except with htmlentities(), all characters which have HTML character entity equivalents are translated into these entities.

The htmlentities is more powerful than htmlspecialchars because it can help us to specify the character encoding during entities convertion.

peter279k avatar Feb 27 '19 03:02 peter279k

Please look at this reference to know the OWASP Top 10 security issues.

https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf

peter279k avatar Feb 27 '19 03:02 peter279k

About

* XSS
  its already in input class you may see => https://github.com/zestframework/Zest_Framework/blob/master/src/Input/Input.php#L133

and CSRF and Sql injections need to implemented

@Lablnet, thank you for your reply.

After tracing the code, it seems that using the htmlspecialchars to prevent the XSS attack.

Do you consider the htmlentities function?

Here is this function explanation:

This function is identical to htmlspecialchars() in all ways, except with htmlentities(), all characters which have HTML character entity equivalents are translated into these entities.

The htmlentities is more powerful than htmlspecialchars because it can help us to specify the character encoding during entities convertion.

@peter279k thanks, yes you are right https://github.com/zestframework/Zest_Framework/commit/5d6f25e13619fa6ff77effd5272c92e95f744ac7 fixed

lablnet avatar Feb 27 '19 06:02 lablnet

Please look at this reference to know the OWASP Top 10 security issues.

https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf

yes sure i will take a look here thanks.

lablnet avatar Feb 27 '19 06:02 lablnet