How to prevent XSS attack - cakephp 4

how to stop XXS attack? Codeignitor has ESC at the front end. Is a similar variable available with CakePHP?

thank you


Use h function in view

Hello <?= h($user->name)

or Text::autoParagraph

Dear @raul338

Thank you so much

Normally attack comes in input field like below;

<input type="password" class="form-control" id="exampleInputPassword1" placeholder="Password">

So how to stop hacker to stop writing a code in the input field and database details?

if you can explain regard to input field much appreciated.

thank you


If you follow the book on converting request data into entities, you are safe of SQL injections.

Then use the methods I posted before to convert posible javascript code to escaped strings.

Thank you @raul338

As a beginner was expecting easy method like the use of esc() in the field.

thank you

will try

I have to chip in here - not the use of technology but your understanding. Point 1, you cannot trust the client. No matter how you wrap your webpage in protecting JavaScript it’s input fields can be compromised. In fact, a decent hacker wouldn’t even bother load your webpage and form up, they just directly sent the GET or POST commands to your webserver.

Now you can protect the input fields to some extend by using Cake’s form protector. It calculates a hash figure based on the input fields it generates, then puts that into a hidden field, so on post it then compares the parameters returned with the hash of the parameters to ensure nothing was introduced. This doesn’t protect the values in the fields, just ensures that what was asked for was received.

Then another layer of protection is CSRF. That will prevent hackers from spamming your webpage with spoofed input fields as they won’t have the legitimate request token. (I mean, they can still do it with a request, grabbing the token, and passing it back - but it stops casual interference.)

Once the data has come back into your PHP handler you can run it through any number of PHP sanitizing & filtering functions which are available.

Then, as raul338 said, if you even need to display on the webpage info they have entered wrap it with the h() function which prevents PHP & JavaScript etc protection.

Thank you.
sorry for the late reply.