I’ve been trying out Yii recently and found it very neat. One thing that concerns me though is the security. While there are already some pretty good security mechanisms built-in, there is lots of room for improvement and more security features.
Why recreate the wheel?
What I have in mind is basically to improve the framework security-wise to be more secure and offer more security features “out-of-the-box” so that everyone doesn’t have to recreate the wheel when trying to make their applications as secure as possible. This will ultimately result in audited code that is well tried and tested by many developers.
Since I’m not an expert in neither Yii or Web app security in general, I call upon the experts on this forum to join in and share their knowledge in this joint effort. I know there are many experienced and knowledgeable Yii programmers out there. Don’t be shy! =)
- To security-wise improve all aspects of Yii, step by step, closely following the OWASP guidelines (see their "cheat sheets") and other "industry standard" methods to mitigate and remedy common web app vulnerabilities, while still keeping the Yii framework as "untainted" as possible.
Again, I call upon experienced developers to share their suggestions on how to best achieve this. Depending on the requirements the final result will be available as one or more Extensions and/or code patches.
To provide Example Code and Documentation of the added functions/features.
To raise general awareness and knowledge of Web App security.
To make Yii the most secure choice among web frameworks.
To have the final results implemented in future releases of the Yii framework.
How to get there
By having open discussions and commitments in this thread, evaluating methods, code and best practices. Perhaps creating a "live" Wiki page further down the road. If anyone have suggestions on how to organize this, please share. Expect things to get a bit chaotic at first!
To try keeping things focused, I suggest closely following the OWASP Master Sheet step by step.
Does this sound appealing to you?
But before digging in to the Master Sheet, I’d like to start with some fundamentals: Input and Output sanitizing. Yii currently provides the HTML Purifier through the class CHtmlPurifier, which is a powerful tool, together with a bunch of Validator classes (see system.validators) but how do we best use them? I think we can agree that it depends on the context. Some times we want to filter SQL characters from the input, some times we need to filter HTML and script tags. Sometimes both! Sometimes none.
[*]Can we use CHtmlPurifier in all cases or are there need for other solutions/options?
[*]How about PHP’s filter_var for example?
[*]Can we use the built-in Validators and rules to decide when and how to filter input fields in a easy way?
I will stop here for now. Fire away!