This component provides basic utilities to protect from common vulnerabilities.
This service is available by default. In your template views, you'd always have a variable called $csrfToken which you can include in some hidden token field when submitting forms, like this:
<form>
<input type="hidden" name="token" value="<?php echo $csrfToken; ?>" />
....
Then in controllers, when handling form submission, you can grab a POST value named token and validate it against current unique session token (via csrfProtector service), like this:
// Grab the token's value from the POST request
$token = $this->request->getPost('token');
// Save boolean value that indicates whether a token is valid or not
$isValid = $this->csrfProtector->isValid($token);
if (!$isValid) {
die('Invalid Token');
}
If you handle forms via AJAX, then you need to handle it a bit differently. First of all, add this meta-header in your global template layout, like this:
<head>
...
<meta name="csrf-token" content="<?php echo $csrfToken; ?>" />
...
</head>
Assuming that you use Jquery, add this additional global header:
$.ajaxSetup(
headers: {
'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
}
);
Then validate it in controllers, just like as we did in previous example, but use $this->request->getMetaCsrfToken() to get token's value instead of $this->request->getPost('token').
Krystal\Security\Filter
Currently this class provides one method to escape HTML in strings:
\Krystal\Security\Filter::escape($string)
Escapes the HTML in the string.
\Krystal\Security\Filter::stripTags($string, array $exceptions = array())
Improved version of PHP's built-in strip_tags() function. It better handles malformed tags, and accepts an array of tag names as exceptions. Returns a filtered string.
\Krystal\Security\Filter::hasTags($string, array $exceptions = array())
Determines whether a string has HTML tags. If you want to ignore some tags, you can pass an array of ignored ones as a second argument. The method returns boolean value.