It removes malicious XSS strings, but what I’d like to do is limit the input to alphanumeric characters only.
// For example, say someone tacks this onto the query string:
?somevar=SomeValue') AND 8420=8420 AND ('crap'='crap
// I can grab and purify the input simultaneously with:
$somevar =Yii::app()->input->get('somevar');
// However, when I echo $somevar, it contains the original cruft:
SomeValue') AND 8420=8420 AND ('crap'='crap
How can I make HTMLPurifier (with or without the Yii ‘input’ extension) limit the input to alphanumeric characters?
There are cases where I want to validate the data before dealing with any models.
For instance, on the URL, someone is signing up for my services. One of the things the controller expects, in the $_GET array, is a variable called "name".
// For example, say someone tacks this onto the query string:
?name=BigWidget') AND 8420=8420 AND ('crap'='crap
$name = Yii::app()->getQuery('name');
$condition = "name='{$this->name}'";
$package = Package::model()->find($condition);
The find() command above will give throw this exception:
Code: 500
File: /home/blah/src/yii/framework/db/CDbCommand.php
Line: 516
CDbCommand failed to execute the SQL statement: SQLSTATE[42000]:
Syntax error or access violation: 1064 You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the right
syntax to use near ') AND 8420=8420 AND ('crap'='crap' LIMIT 1' at line 1
As you can see, find() tried to run this query, which has invalid syntax:
[sql]
SELECT * FROM product WHERE name=‘BigWidget’) AND 8420=8420 AND (‘crap’=‘crap’
[/sql]
I’d prefer to NOT even be sending such unsanitized input to find() in the first place, which is why I was hoping HTML purifier had an option to strip the input so that only alphanumerics (for example) are allowed.
Short of that, I’d have to write my own wrapper for CmsInput. But that’s just plain sad. Because then my wrapper would wrap around CmsInput, which in turn wraps around HtmlPurifier!