symfony - Validation (vs) Sanitization in Symfony2+Twig? -


i need users enter uri of personal website in profile other users can see , click on it. worried lead xss attacks if output not sanitized properly.

like in simplistic schema below:

enter image description here

i using full stack symfony2 framework, doctrine orm , twig template engine. know symfony provides amazing validation tools, , twig provides automatic output escaping (which not necessary in particular case) some filters output sanitizing.

i've read following how symfony2 , twig handle sanitization:

doctrine comes sanitization database (sql) injections. apart this, there no recommended / provided input sanitization @ controller level in symfony2. however, using twig in view, output sanitization available.

as example, in cakephp however:

data sanitization implemented utility can accessed anywhere (controller, component, model .. view). follows sanitize-all-input approach fixed set of predefined sanitization filters. sanitizing specific inputs dedicated rules possible, seems not encouraged.the existing rules concentrate on sql , html injections , filtering out general suspicious unicode characters.

1 how symfony2 + twig users handle input sanitization? discard input sanitization totally , example rely on validation only? or write own utility function filter user inputs? or maybe use library owasp-esapi-php?

2 how symfony2 + twig users handle output sanitization? rely on filters provided twig engine only? example, there tools 1 can use sanitize user-entered uri, something similar this?

3 in situarion, how handle database storage , display of user-entered uri in example above, care input sanitization @ all? or use output sanitization , store uri is?

  1. you should not worry @ input sanitization, doctrine immune sql injection

  2. by default, output escaped. if $text has script tags, escaped; visible text not executed browser. , if want have http://example.com clickable, there jquery plugins can you.

  3. i put validation, there 

    new symfony\component\validator\constraints\url() ;

available you


Comments

Post a Comment

Popular posts from this blog

Change php variable from jquery value using ajax (same page) -

what i'm trying this: i've php global variable $currentid , simple jquery script check if there "id" (page) in hash of url , if yes wanted give value $currentid . i've been reading lot , notice shall use ajax i'm not managing it. my code is: <script type="text/javascript"> $(document).ready(function(){ if (parent.location.hash != '' ) { var thecurrentid = parent.location.hash.split('#')[1]; $.ajax({ url: 'my.php', //current page type: 'post', data: {theid: thecurrentid }, datatype: 'json', success: function () { } }); } // code here }); </script> could me please? thank in advance. php server side language, meaning once has sent data browser, php variables , data cannot changed... however, using ajax, can send request php page , change data in dom based on result. consider th...
Read more

Pull out data related to my apps from Android Play Store and iOS App Store -

i want pull out data related apps (ratings, reviews, etc) google play store , apple app store ? how can accomplish ? i have found open source apis google mentioned not reliable. also there paid apis (e.g. appfigures) available. has idea how able pull data these play stores ?? i looking direction on how can accomplish this. can suggest ? we (appfigures) have been working on developing infrastructure give ability reviews , bunch of other data points major app stores several years :] we make available via our api though may want check out.
Read more

How can I fetch data from a web server in an android application? -

i want retrieve data web server in android application, , don't know begin. should use web services? i recommend these tutorials: connect android php , mysql , json in android , php , mysqli i used these tutorials , managed trying working without difficulty. between them describe each step in how attempting @ each stage, android application, database , web server side , has information included can process , use received information the thing add connect android php , mysql tutorial makes use of mysql_ in php deprecated. better use mysqli why included third link. the basic outline of want this: 1) in android app make request server php script using class this: import java.io.bufferedreader; import java.io.ioexception; import java.io.inputstream; import java.io.inputstreamreader; import java.io.unsupportedencodingexception; import java.util.list; import org.apache.http.httpentity; import org.apache.http.httpresponse; import org.apache.http.namevaluepair...
Read more