Back to Top

Prevent XSS by Joomla coding standard

Updated 6 June 2023

Prevent XSS by Joomla coding standard:

What is XSS

Cross-site scripting (XSS) is a code injection attack that allows an attacker to execute malicious JavaScript in another user’s browser.

The attacker does not directly target his victim. Instead, he exploits a vulnerability in a website that the victim visits, in order to get the website to deliver the malicious JavaScript for him. To the victim’s browser, the malicious JavaScript appears to be a legitimate part of the website, and the website has thus acted as an unintentional accomplice to the attacker.

Result of Malicious JavaScript:

Among many other things, the ability to execute arbitrary JavaScript in another user’s browser allows an attacker to perform the following types of attacks:

  1.  Cookie Theft:Cookie theft occurs when a third party copies unencrypted session data and uses it to impersonate the real user.
  2.  Keylogging : In this attacker can register keyboard event using addEventListener and send  values of key to his own server.
  3. Phishing: Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.

How attacker injects XSS script:

There is most common way to send script to server is html input and ajax data object.In other word where user put any data for submit to server.So we must be validate it on server end by sanitize user inputs.

Joomla is one of the best CMS which is known for security protection.It provide API to filter input data by various method.

Start your headless eCommerce
now.
Find out More

Joomla Coding Standard:

This is follow MVC architecture for Components so we must follow it.

  1. View: A user interacts with the view – by clicking on a link or submitting a form.
  2. Controller: The Controller handles the user input, and transfers the information to the model So we must get all user input in controller.
  3. Model: The Model receives the information and updates it’s state and Model is used to process database related query.

User intact with view and put some data to send on server data should be receive in controller.

Joomla Filtering Method In Controller:

  1. Do not use php superglobal  variable such as $
    _POST,$_GET,$_SERVER,$_FILES,$_REQUEST etc.
  2. Use JFactory::getApplication()->input object to retrieve request data(get,post,cookie,files etc.)

eg:

//To instantiate Jinput class of joomla

$jInput=JFactory::getApplication()->input;

// Here we are getting post method request and index is id

// Here get method receiving 3 parameter first is request parameter second is default value and third if filter

$id=$jInput->post->get(‘id’, 0, ‘INT’);

Available Joomla data filters are:

  • INT

// Only use the first integer value

$id=$jInput->post->get(‘id’,  0, ‘INT’);

  • UNIT

// Only use the first integer value

$var_name=$jInput->post->get(‘var_name’, ‘ ‘ , ‘UNIT’);

  • FLOAT

  • DOUBLE

// Only use the first floating point value

$var_name=$jInput->post->get(‘var_name’, 0.0 , ‘FLOAT’);

$var_name=$jInput->post->get(‘var_name’, 0.0 , ‘DOUBLE’);

  • BOOL

// Only use the get Boolean value

$var_name=$jInput->post->get(‘var_name’, ‘ ‘ , ‘BOOL’);

  • ALNUM

// Allow a-z and 0-9 only (eg: webkul124

$var_name=$jInput->post->get(‘var_name’, ‘ ‘ , ‘ALNUM’);

  • CMD

// Allow a-z, 0-9, underscore, dot, dash. Also remove leading dots from result.
$var_name = $jInput->post->get(‘var_name’, ‘ ‘ , ‘CMD’);

  • BASE64

// Allow a-z, 0-9, slash, plus, equals.
$var_name = $jInput->post->get(‘var_name’, ‘ ‘ , ‘BASE64’);

  • STRING

// Converts the input to a plain text string; strips all tags / attributes.

$var_name = $jInput->post->get(‘var_name’, ‘ ‘ , ‘STR’);

  • HTML

// Converts the input to a string; strips all HTML tags / attributes. eg: <span>some text</span>

$var_name = $jInput->post->get(‘var_name’, ‘ ‘ , ‘HTML’);

  • PATH

// Converts the input into a string and validates it as a path.  e.g. path/to/file.png or path/to/dir
// For a visual representation of the pattern matching used, see http://www.regexper.com/#^[A-Za-z0-9_-]%2B[A-Za-z0-9_\.-]*%28[\\\\\%2F][A-Za-z0-9_-]%2B[A-Za-z0-9_\.-]*%29*%24

$var_name = $jInput->post->get(‘var_name’,  ‘ ‘ , ‘PATH’);

  • USERNAME

// Strips all invalid username characters.

$var_name = $jInput->post->get(‘var_name’,  ‘ ‘ , ‘USERNAME’);

  • Getting Multiple Values

To retrieve a number of values you can use the getArray() method:

$var_name = $jInput->post->getArray();

  • Getting JSON string from request

$var_name = $jInput->json->get(‘varname’, ‘default_value’, ‘filter’);

  • Getting POST string from request

$var_name = $jInput->post->get(‘varname’, ‘default_value’, ‘filter’);

  • Getting get string from request

$var_name = $jInput->get->get(‘varname’, ‘default_value’, ‘filter’);

  • Getting server string from request

$var_name = $jInput->server->get(‘varname’, ‘default_value’, ‘filter’);

  • Getting files string from request

$var_name = $jInput->files->get(‘varname’, ‘default_value’, ‘filter’);

  • Getting cookie string from request

$var_name = $jInput->cookie->get(‘varname’, ‘default_value’, ‘filter’);

  • Get request data in array

$postData = $jInput->post->getArray();

$getData = $jInput->get->getArray();

$serverData = $jInput->server->getArray();

$fileData = $jInput->files->getArray();

$cookieData = $jInput->cookie->getArray();

Egample:

$jinput = JFactory::getApplication()->input;
$value = $Jinput->get(‘value’,”,’html’);
echo $value;

This will strip out all html tags and attributes. however you should also use your judgment about what are acceptable values. If you think that there is any chance that some html code could have slipped through you can use in addition the PHP htmlspecialchars() function

$value = htmlspecialchars( $value );
echo $value;

Conclusion:

If we get mixed data in request such as text and html then we use RAW filter.

$var_name = $jInput->server->get(‘varname’, ‘default_value’, ‘RAW’);

This might be harmful so we use global filtering of joomla setting.

$jInputFilter=JFilterInput::getInstance();

$jInputFilter->clean($jInput->server->get(‘varname’, ‘default_value’, ‘RAW’));//this will filter text according global configuration

Create Custom Filtering In Joomla

We can create custom text filter.

getInstance(array $tagsArray = array(), array $attrArray = array(), integer $tagsMethod, integer $attrMethod, integer $xssAuto = 1)

Parameter Default Value Description
$tagsArray array() $tagsArray list of user-defined tags
$attrArray array() $attrArray list of user-defined attributes
$tagsMethod 0 $tagsMethod WhiteList method = 0, BlackList method = 1
$attrMethod 0 $attrMethod WhiteList method = 0, BlackList method = 1
$xssAuto 1 $xssAuto Only auto clean essentials = 0, Allow clean blacklisted tags/attr = 1
 $input_options = JFilterInput::getInstance(
        array(
            'img','p','a','u','i','b','strong','span','div','ul','li','ol','h1','h2','h3','h4','h5',
            'table','tr','td','th','tbody','theader','tfooter','br'
        ),
        array(
            'src','width','height','alt','style','href','rel','target','align','valign','border','cellpading',
            'cellspacing','title','id','class'
        )
    );

    $postData = new JInput($_POST, array('filter' => $input_options));

    $var_name=$postData->get($htmlText, '', 'HTML');

Support

For any query regarding Joomla virtuemart Extensions and add-ons you can communicate with us at:
[email protected]

. . .

Leave a Comment

Your email address will not be published. Required fields are marked*


Be the first to comment.

Back to Top

Message Sent!

If you have more details or questions, you can reply to the received confirmation email.

Back to Home

Table of Content