Mercurial > hg > isophonics-drupal-site
annotate vendor/zendframework/zend-escaper/doc/book/escaping-url.md @ 0:4c8ae668cc8c
Initial import (non-working)
| author | Chris Cannam |
|---|---|
| date | Wed, 29 Nov 2017 16:09:58 +0000 |
| parents | |
| children |
| rev | line source |
|---|---|
| Chris@0 | 1 # Escaping URLs |
| Chris@0 | 2 |
| Chris@0 | 3 This method is basically an alias for PHP's `rawurlencode()` which has applied |
| Chris@0 | 4 RFC 3986 since PHP 5.3. It is included primarily for consistency. |
| Chris@0 | 5 |
| Chris@0 | 6 URL escaping applies to data being inserted into a URL and not to the whole URL |
| Chris@0 | 7 itself. |
| Chris@0 | 8 |
| Chris@0 | 9 ## Example of Bad URL Escaping |
| Chris@0 | 10 |
| Chris@0 | 11 XSS attacks are easy if data inserted into URLs is not escaped properly: |
| Chris@0 | 12 |
| Chris@0 | 13 ```php |
| Chris@0 | 14 <?php header('Content-Type: application/xhtml+xml; charset=UTF-8'); ?> |
| Chris@0 | 15 <!DOCTYPE html> |
| Chris@0 | 16 <?php |
| Chris@0 | 17 $input = <<<INPUT |
| Chris@0 | 18 " onmouseover="alert('zf2') |
| Chris@0 | 19 INPUT; |
| Chris@0 | 20 ?> |
| Chris@0 | 21 <html xmlns="http://www.w3.org/1999/xhtml"> |
| Chris@0 | 22 <head> |
| Chris@0 | 23 <title>Unescaped URL data</title> |
| Chris@0 | 24 <meta charset="UTF-8"/> |
| Chris@0 | 25 </head> |
| Chris@0 | 26 <body> |
| Chris@0 | 27 <a href="http://example.com/?name=<?= $input ?>">Click here!</a> |
| Chris@0 | 28 </body> |
| Chris@0 | 29 </html> |
| Chris@0 | 30 ``` |
| Chris@0 | 31 |
| Chris@0 | 32 ## Example of Good URL Escaping |
| Chris@0 | 33 |
| Chris@0 | 34 By properly escaping data in URLs by using `escapeUrl()`, we can prevent XSS |
| Chris@0 | 35 attacks: |
| Chris@0 | 36 |
| Chris@0 | 37 ```php |
| Chris@0 | 38 <?php header('Content-Type: application/xhtml+xml; charset=UTF-8'); ?> |
| Chris@0 | 39 <!DOCTYPE html> |
| Chris@0 | 40 <?php |
| Chris@0 | 41 $input = <<<INPUT |
| Chris@0 | 42 " onmouseover="alert('zf2') |
| Chris@0 | 43 INPUT; |
| Chris@0 | 44 |
| Chris@0 | 45 $escaper = new Zend\Escaper\Escaper('utf-8'); |
| Chris@0 | 46 $output = $escaper->escapeUrl($input); |
| Chris@0 | 47 ?> |
| Chris@0 | 48 <html xmlns="http://www.w3.org/1999/xhtml"> |
| Chris@0 | 49 <head> |
| Chris@0 | 50 <title>Unescaped URL data</title> |
| Chris@0 | 51 <meta charset="UTF-8"/> |
| Chris@0 | 52 </head> |
| Chris@0 | 53 <body> |
| Chris@0 | 54 <a href="http://example.com/?name=<?= $output ?>">Click here!</a> |
| Chris@0 | 55 </body> |
| Chris@0 | 56 </html> |
| Chris@0 | 57 ``` |