yxss-filter
Use Kohana regexp to sanitize all user input
6 followers This extension is sanitize all user input
Resources ¶
Documentation ¶
Requirements
* Yii 1.0 or above
Installation
* Extract the release file under protected/filters
Usage
Add the following code to your controller.
public function filters()
{
return array(
array(
'application.filters.YXssFilter',
'clean' => '*',
'tags' => 'strict',
'actions' => 'all'
)
);
}
Change Log ¶
September 10, 2009 ¶
- Initial release.
Create extension
Downloads
- License: New BSD License
- Developed by: xomaa
- Category: Security
- Votes: +4 / -1
- Downloaded: 713 times
- Created on: Sep 10, 2009
- Last updated: Sep 10, 2009
Total 5 comments
The extension is great and all,but in section just below the // Remove really unwanted tags comment, why are
tags not removed??I tested and inserted php tags in a field,and they were not cleaned...
I still like this extension very much. But if one filters all input types (GET, POST, etc) and all actions, then comparison operations beginning with < do not work. In STRICT mode, PHP strip_tags treats anything starting with < as a tag, and strips to the next whitespace. In SOFT mode, < is changed into < which does not match the regex in CDbCriteria.compare().
My solution was to add logic to preFilter(), to not filter data coming from the 'Admin' action:
This seems like an acceptable compromise to allow use of comparison operators in filters, and still keeps security in the rest of the app.
I put this in my base-controller class from which all other controllers extend. Simple. Now my entire app is protected. From reading the docs for CHtmlPurifier, which does the same thing, it appeared that component performs poorly. So far haven't noticed any performance impact using YXssFilter.
Thanks a lot for this filter! It's very useful. "must have"
Great work, Andrew!
Leave a comment
Please login to leave your comment.