How to filter all post and get request for xss issues

vkumar8404 · October 27, 2023, 11:30am

We are having many number of controllers in our application and these controllers are using get and post requests, we want to filter these request from xss issues on application level. Is there any way to do this on application level so if there are any get or post request its gets purified.
We have already parameter binding ,CHtml::purifiers ,Chtml::encode but now want a solution which can pass through any security assessment tool.
Here are some request link examples
GET /application_name/page3/dependency?16ffd0cd302313598e4a18abe473b9f1bf6a2406=&TableLog_sort=created_on&_=1679697812770&dependency=/user/user/update&dependencyTabDropdownIndex=0’“()%26%25<ScRiPt%20>9aPQ(9906)&dependencyTabIndex=4&parentId=147058&parentPk=User%2C%20Profile
GARBAGE STRING given- 0’”()%26%25<ScRiPt%20>dV6E(9559)

paalgg · February 22, 2024, 12:05pm

One suggestion is to have all your controllers extend a BaseController, and in this BaseController you have a function beforeAction do your magic filtering before the action is run.

class BaseController extends CController {
  public function beforeAction() {
   // your code here
  }
}

And all your existing controllers must extend from BaseController instead of CController:

class YourController extends BaseController {
...