XSS safe model content
In this post I am going to describe a solution to make your yii-based web application safe from illegal content injections.
I am going to make a use of the the yii wrapped htmlpurifier class inside a behavior. this behavior could be attached to any model with declaring the attributes we would like to make them XSS safe.
I have wrote the following behavior :
class CSafeContentBehavior extends CActiveRecordBehavior { public $attributes =array(); protected $purifier; function __construct(){ $this->purifier = new CHtmlPurifier; } public function beforeSave($event) { foreach($this->attributes as $attribute){ $this->getOwner()->{$attribute} = $this->purifier->purify($this->getOwner()->{$attribute}); } } }
place this class in a file in your application directory, for example : application/behaviors/CSafeContentBehavior.php Now in your model you attach the behavior like this :
class Post extends CActiveRecord { public function behaviors(){ return array( 'CSafeContentBehavor' => array( 'class' => 'application.behaviors.CSafeContentBehavior', 'attributes' => array('title', 'body'), ), ); }
Here we go. Our Post model will now purify title and body columns before each save operation.
Total 3 comments:
I think that this part "'attributes' => array('title', 'body')," better to implement as validator (similar as new CSafeValidator). To define behaviors for column in one place.
CHtmlPurifier will be initialized every on model creation. Right?