diff --git a/reference/configuration/framework.rst b/reference/configuration/framework.rst index 25edfe52910..83cece55ec5 100644 --- a/reference/configuration/framework.rst +++ b/reference/configuration/framework.rst @@ -1825,7 +1825,7 @@ cookie_httponly This determines whether cookies should only be accessible through the HTTP protocol. This means that the cookie won't be accessible by scripting languages, such as JavaScript. This setting can effectively help to reduce -identity theft through XSS attacks. +identity theft through :ref:`XSS attacks `. gc_divisor .......... diff --git a/reference/configuration/twig.rst b/reference/configuration/twig.rst index 75a3b7ddf42..f0e8bd31454 100644 --- a/reference/configuration/twig.rst +++ b/reference/configuration/twig.rst @@ -44,9 +44,9 @@ individually in the templates). .. danger:: Setting this option to ``false`` is dangerous and it will make your - application vulnerable to `XSS attacks`_ because most third-party bundles - assume that auto-escaping is enabled and they don't escape contents - themselves. + application vulnerable to :ref:`XSS attacks ` because most + third-party bundles assume that auto-escaping is enabled and they don't + escape contents themselves. If set to a string, the template contents are escaped using the strategy with that name. Allowed values are ``html``, ``js``, ``css``, ``url``, ``html_attr`` @@ -345,4 +345,3 @@ attribute or method doesn't exist. If set to ``false`` these errors are ignored and the non-existing values are replaced by ``null``. .. _`the optimizer extension`: https://twig.symfony.com/doc/3.x/api.html#optimizer-extension -.. _`XSS attacks`: https://en.wikipedia.org/wiki/Cross-site_scripting diff --git a/templates.rst b/templates.rst index a46a211692c..7dd7a758fae 100644 --- a/templates.rst +++ b/templates.rst @@ -1240,17 +1240,25 @@ and leaves the repeated contents and HTML structure to some parent templates. Read the `Twig template inheritance`_ docs to learn more about how to reuse parent block contents when overriding templates and other advanced features. -Output Escaping ---------------- +.. _output-escaping: +.. _xss-attacks: + +Output Escaping and XSS Attacks +------------------------------- Imagine that your template includes the ``Hello {{ name }}`` code to display the -user name. If a malicious user sets ```` as -their name and you output that value unchanged, the application will display a -JavaScript popup window. +user name and a malicious user sets the following as their name: + +.. code-block:: html + + My Name + -This is known as a `Cross-Site Scripting`_ (XSS) attack. And while the previous -example seems harmless, the attacker could write more advanced JavaScript code -to perform malicious actions. +You'll see ``My Name`` on screen but the attacker just secretly stole your cookies +so they can impersonate you in other websites. This is known as a `Cross-Site Scripting`_ +or XSS attack. To prevent this attack, use *"output escaping"* to transform the characters which have special meaning (e.g. replace ``<`` by the ``<`` HTML entity).