For example next action:
public function actionProfile($name = 'John')
{
return $this->render('profile', ['name' => $name]);
}The action method took an argument $name. Whose value of default to "John", but the value may be set by end user. It may be making vulnerable to cross-site scripting (XSS) attacks by embedding malicious JavaScript code in the parameter. See to below code, the "name" parameters is HTML-encoded before bieng printed. This is necessary for simple protection.
<?phpuse yii\helpers\Html;?> <?= Html::encode($name) ?>
No comments:
Post a Comment