Yii 1.1: yxss-filter

Use Kohana regexp to sanitize all user input

This extension is sanitize all user input




* Yii 1.0 or above


* Extract the release file under protected/filters


Add the following code to your controller.

 public function filters()
            return array(
                          'clean'   => '*',
                          'tags'    => 'strict',
                          'actions' => 'all'


Change Log

September 10, 2009

  • Initial release.

Total 5 comments

#9929 report it
Elecen at 2012/09/23 12:50pm
Either use the best or none at all

This falls into the same category antiviruses do. If it can't protect you 99.99% don't use it at all. It will only give you the illusion of safety. Yii builtin purifier uses http://htmlpurifier.org/ which is by far the best. Yes it's heavy, but if used correctly and only when it's actually needed it's excellent. And of course, it's up to you to keep this piece of code always up to date.

Common good practices; Purify content that is to be rendered as html and may come from an unsafe source (a user. Your website admin has nothing really to gain. In most cases ;))

For any numerical inputs, just cast them (int)$myOption. For textboxes, max length can be a huge time savier. For text areas coming from outside... purify :)

That's pretty much all you need to keep your site XSS safe.

#4029 report it
jeremy at 2011/05/30 03:45pm
problem using < comparison operator in filters and searches

I still like this extension very much. But if one filters all input types (GET, POST, etc) and all actions, then comparison operations beginning with < do not work. In STRICT mode, PHP strip_tags treats anything starting with < as a tag, and strips to the next whitespace. In SOFT mode, < is changed into < which does not match the regex in CDbCriteria.compare().

My solution was to add logic to preFilter(), to not filter data coming from the 'Admin' action:

if($this->actions != '*' && $this->actions != 'ALL' && !in_array($filterChain->action->id,explode(',',$this->actions)))
    return true;
// + JJD
if (strtolower($filterChain->action->id) == 'admin')
    return true;

This seems like an acceptable compromise to allow use of comparison operators in filters, and still keeps security in the rest of the app.

#3224 report it
jeremy at 2011/03/26 04:43pm
VERY helpful

I put this in my base-controller class from which all other controllers extend. Simple. Now my entire app is protected. From reading the docs for CHtmlPurifier, which does the same thing, it appeared that component performs poorly. So far haven't noticed any performance impact using YXssFilter.

#950 report it
someone at 2010/01/22 02:35am

Thanks a lot for this filter! It's very useful. "must have"

#1316 report it
Bethrezen at 2009/09/16 10:40am
Great work!

Great work, Andrew!

Leave a comment

Please to leave your comment.

Create extension
  • Yii Version: 1.1
  • License: New BSD License
  • Developed by: xomaa
  • Category: Security
  • Votes: +5 / -1
  • Downloaded: 1,143 times
  • Created on: Sep 10, 2009
  • Last updated: Sep 10, 2009