Yii and XSS

Hi!

Where escape user input? Should I use strip_tags and CHtml:encode in beforeSave()? How protect

in the model rules




array('username', 'filter', 'filter' => 'strip_tags'),


you can also trim


array('username', 'filter', 'filter' => 'trim'),



And use CHtml::encode in views?

I would say save the data as it is and encode it when displaying the data in views

It’s better to add filter in rules with encoding to make it once before save data. Often you needn’t do it every time.


array( 'field', 'filter', 'filter' => array( 'CHtml', 'encode' ) )

You should strip tags in the rules to prevent malicious user input saving to your database and you should also encode it in your view

And you should definitely not use strip tags.

A lot of different ideas. ;) Is it possible to auto CHtml::encode all echo data?

as I said always always have a copy of the original data.


// or you could do this

username - original data

username_filtered - filtered data

What for? For example the engine of this forum don’t store original data. And strip all xss and not allowed tags before save.

You can use CHtmlPurifier filter to clear any malicious script from input




public function rules()

{

	return array(

                 array('myattribute','filter','filter'=>array($obj=new CHtmlPurifier(),'purify')),

	);

}

@SiZE genius look at the links I pasted above