How to make sure your Lithium (#li3) views are secure

Image representing Facebook as depicted in Cru...

Image via CrunchBase. This would be an image of Lithium except Zemanta didn't offer any :)

I’m doing some Lithium work again and just wanted to revisit the views for a moment. Most of this is from memory, so please correct any errors.

I love the way that Lithium handles views. By sending variables to the view with the compact() function, you can refer to them $directly instead of something like $this->variable.

What’s also nice is that regardless of your php.ini settings and version, you can use the PHP short open tags. If I remember correctly, they were deprecated before becoming the default, due to their conflict with outputting xml (<?xml).

Lithium parses the view so you won’t get any errors even if you have the tags disabled. As an added benefit, they automatically escape variables with htmlspecialchars().

This approach is similar to the Facebook php extension XHP.

What’s really attractive about parsing views is that it makes possible context-sensitive escaping. IMO, frameworks should make this standard. Even the better backend developers are mostly getting this wrong. How do you expect a front-end developer who typically writes the view to get it right? Result? Insecure pages abound.

Hopefully Lithium will perform context-sensitive escaping in the future. If I have time, I hope to contribute to this effort.

English: Artist's Concept of Jupiter Encounter...

Image via Wikipedia. It has nothing to do with this article but I suspect was offered because of the word "escape".

What’s the take-home message? In your views, educate yourself on how to escape variables. Depending where the variable is showing, you may need to escape it yourself. To know what method to use, study this OWASP guide:

XSS Prevention Safe Contexts

Stay safe!

Enhanced by Zemanta

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s