- Version: 1.1.1
- Author: Symphony Team
- Build Date: 21st May 2012
- Requirements: Symphony 2.0.3
Fairly blunt filter to protect Symphony events from common cross-site scripting (XSS) attacks.
- Place the
xssfilterfolder in your Symphonyextensionsdirectory. - Go to System > Extensions, select "Cross-Site Scripting (XSS) Filter", choose "Enable" from the with-selected menu, then click Apply.
- Go to Blueprints > Components and click the name of the event whose input you want to filter.
- In the "Filter Rules" field, select "Filter XSS: Fail if malicious input is detected"
- Save your event
- Pirouette
Additionally, the XSS Filter can be used directly in your extensions via Extension_XSSFilter::detectXSS($string) which takes a string and returns boolean if XSS is detected.
The filter, as mentioned above is very strict. It defaults to a high level of protection, and users who want to be more permissive with their input should be savvy enough to filter that input accordingly before rendering the content on the front end.
The filter disallows the following HTML elements: meta, link, style, script, embed, object, iframe, frame, frameset, title, and a few other more obscure ones.