Prevent XSS in Symfony

Question

How can I prevent XSS when I show data from a textarea with a wyswyg editor in Symfony2?

I have a textarea with tinyMCE editor. I can insert code for bold, italic, and after I can show the data in the browser with the twig filter raw:

{{miArticulo.contenido|raw}}

But when I write script in the textarea, for example, an alert, it is rendered in the browser too;

How Can I show only secure metas from HTML? I try surround with the twig filter autoescape, but I failed:

{% autoescape 'html' %}{{miArticulo.contenido|raw}}{% endautoescape %}

Can I show secure content con twig or I should try with other libraries such as HTMLPurifier

What about {{miArticulo.contenido|escape('html')|raw}}? Isn't that available in Symphony2? twig.sensiolabs.org/doc/filters/escape.html — puelo
I try it and all html is escaped, I would escape only insecure labels, such as <script> — Giancarlo Ventura Granados
Yes, I try it and I get stranger output such as: \x3Cp\x3E\x3Cstrong\x3 — Giancarlo Ventura Granados
I am unable to find more information on the js escape strategy implemented in twig. Could be a bug. I think your best bet becomes implementing your own custom escape strategy. twig.sensiolabs.org/doc/filters/escape.html#custom-escapers — puelo

Ivan Kvasnica Ivan Kvasnica · Accepted Answer · 2017-02-05T15:02:18

Besides using a templating engine like Twig, I highly suggest to implement the Content Security Policy nonce headers.

header('Content-Security-Policy', 'script-src 'nonce-randomNonceString' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https: http:; object-src 'none');

They forbid running other scripts than those explicitly whitelisted. A downside is that you need to add a randomly generated nonce argument to each <script> tag in your code.

I wrote a detailed tutorial how to implement CSP 3 with nonce in Symfony, so the nonce argument is generated automatically per each request. Feel free to use the solution.

Prevent XSS in Symfony

2 Answers