XSS Validation in Joomla Components

Before reading this article, you must have knowledge about Joomla extensions development. If you don’t know how to develop joomla extensions, then I suggest to read Developing Component in Joomla first.

If you have created a user input form in your Joomla component, such as Comment Form or Picture Upload Form, then you must be aware that processing the user input without properly validating it may make the application vulnerable to XSS attacks. Most of the extensions that doesnot properly validate their inputs against XSS vulnerability are prone to attacks from attackers.

So, What is an XSS attack?

Cross Site Scripting (XSS) is a common website vulnerability, that can be exploited if proper input sanitation is not used in custom Web Applications.

XSS is one of the most common website attack, in which attackers inject client-side scripts into a web page mostly from input forms, which displays odd behavior when viewed by other users. Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site’s owner.

Search google for more information on XSS attack.

Let’s see how you can provide safeguards to your extension against XSS attacks in Joomla.

Validating Form Inputs in Joomla

Joomla has its inbuilt validate module for validating Form inputs. You just need to call that module in your model before saving the input data. In your Joomla component, the controller calls the store function in the required model for saving data. In the controller, you should have the something like this:

/**
     * Method to save a record.
     *
     * @param    string    $key    The name of the primary key of the URL variable.
     * @param    string    $urlVar    The name of the URL variable if different from the primary key (sometimes required to avoid router collisions).
     *
     * @return    Boolean    True if successful, false otherwise.
     * @since    1.6
     */

public function save()
{
        JRequest::checkToken() or die( 'Invalid Token' );

        $model = $this->getModel('[ModelName]');     //[ModelName]: Use your model name

        if ($model->store())
        {
            $msg = JText :: _('COM_XXX_DATA_SAVED_SUCCESS');
        }
        else
        {
            $msg = JText :: _('COM_XXX_DATA_SAVED_ERROR');
        }

        $link = 'index.php?option=com_xxx&view=[ViewName]';    //[ViewName]: Use viewname to display after saving data
        $this->setRedirect($link, $msg);
}

This controller function passes control to the model where actual store of input data takes place and returns true if everything is fine. Now, in the model you should have following code to store the data:

/**
     *
     * Store the Data
     *
     */

    function store()
    {
	// Check the request token.
	JRequest::checkToken('post') or jexit(JText::_('JINVALID_TOKEN'));

	// Initialise variables.
	$app	= JFactory::getApplication();
        $row    = & $this->getTable('[TableName]');  //[TableName]: Use your table class here

        // Get the user data.
	$requestData = JRequest::getVar('jform', array(), 'post', 'array');

	if (!$row->bind($data))
	{
	    $this->setError($this->_db->getErrorMsg());
	    return false;
	}

	if (!$row->store())
	{
	    $this->setError($this->_db->getErrorMsg());
	    return false;
	}

	return true;
}

This function gets data from the input form, binds it to the table row and if everything is fine, stores it to the database. However, you are storing the information without properly validating it. Hence, any html or javascript tags inside the input box will be accepted and stored in the database.

To validate against XSS you need to add validation module in the store function of module. Now, the function looks like:

/**
 *
 * Store the Data
 *
 */

function store()
{
	// Check the request token.
	JRequest::checkToken('post') or jexit(JText::_('JINVALID_TOKEN'));

	// Initialise variables.
	$app	= JFactory::getApplication();
        $row    = & $this->getTable('[TableName]');  //[TableName]: Use your table class here

        // Get the user data.
	$requestData = JRequest::getVar('jform', array(), 'post', 'array');

	// Validate the posted data.
	$form	= $this->getForm();

	if (!$form) {
		JError::raiseError(500, $model->getError());
		return false;
	}

	$data	= $this->validate($form, $requestData);

	// Check for validation errors.
	if ($data === false) {
		// Get the validation messages.
		$errors	= $this->getErrors();

		// Push up to three validation messages out to the user.
		for ($i = 0, $n = count($errors); $i < $n && $i < 3; $i++) {
			if (JError::isError($errors[$i])) {
				$app->enqueueMessage($errors[$i]->getMessage(), 'warning');
			} else {
				$app->enqueueMessage($errors[$i], 'warning');
			}
		}

		// Save the data in the session.
		$app->setUserState('com_xxx.[ViewName].data', $data);   //[ViewName]: Enter view name here

		// Redirect back to the input form
		$this->setRedirect(JRoute::_('index.php?option=com_xxx&view=[ViewName]', false));  //[ViewName]: Use viewname to display after saving data
		return false;
	}

	if (!$row->bind($data))
	{
	    $this->setError($this->_db->getErrorMsg());
	    return false;
	}

	if (!$row->store())
	{
	    $this->setError($this->_db->getErrorMsg());
	    return false;
	}

	return true;
}

Here, from line number 19 to 27, we have get the input form and validate the data by calling Joomla’s validate module. From line 30 to 49, we have checked for any errors. This function also checks for other validation errors such as required field data. If the error occurs then the user is redirected to the input form with pre-entered data stored in session variable. If everything is ok, then only the data is saved in the database.

The validate method is pretty much useful for securing Joomla component from XSS vulnerability in input data and other input data validation in Joomla. For other type of security requirements in Joomla, you need to look at Securing Joomla Extensions and Security link. Also search Google for more information.

You can leave a response, or trackback from your own site.

Leave a Reply

*

Powered by WordPress | Buy cheap cell phones at iFreeCellPhones.com | Thanks to iCellPhonePlans.com, Facebook Games and Free Ads