Skip to content

Latest commit

 

History

History
46 lines (26 loc) · 1.73 KB

security.md

File metadata and controls

46 lines (26 loc) · 1.73 KB

Security

The esoTalk framework provides a number of functions and strategies that make security very easy to implement.

Sanitizing Data

Sanitizing Data Being Rendered In A HTML Response

echo sanitizeHTML("<b>Test</b>"); // &lt;b&gt;Test&lt;/b&gt;

Sanitizing Data Being Outputted Within HTTP Headers

$headers = "Location: ".sanitizeForHTTP($url);

Sanitizing Data Being Used For A File Name

$path = "dir/".sanitizeFileName($filename);

CSRF Protection

CSRF protection is implemented using a randomly-generated token. This token is available as a property on the ETSession class, via ET::$session->token.

Creating A Link With CSRF Protection

$url = URL("conversation/delete/".$conversationId."?token=".ET::$session->token);

The token can then be checked to make sure the request is valid using the ETController::validateToken method. This method will assume that the token is submitted in the request data with the "token" key. If token validation fails, a notification message will be added and the method will return false.

Checking If The Request Is Valid

if (!$this->validateToken()) return;

CSRF protection is automated when setting up a form using ETForm. The token is added as a hidden input to the form automatically; all you have to do is check for a valid post back before processing any data:

Checking If A Form Submission Is Valid

if ($form->validPostBack("save")) {
	// token is valid
}

ETAjax automatically sends the token in the request data, so you don't need to add it manually to every AJAX request.