Encode at ActiveRecord level?

This might be a stupid question but is there an automatic way for my ActiveRecord variables to be run through HTML::encode so they don’t allow <script>alert(‘test’);</script> or <iframe src=http://google.com></iframe> on text fields? I thought safe did this automatically?




public function afterFind()

{

   $this->Comments = Html::encode($this->Comments);

   parent::afterFind();

}



No. It should not be done in models because they may be outputted in different contexts: HTML, console, JavaScript etc. In each of the contexts escaping is different.

You could, though. Just extend the ActiveRecord class and have your models inherit it, override some methods (one(), all() ?) and format as needed. You shouldn’t though, like samdark said.

Just get in to the habit of escaping all user supplied output within your views. There’s codesniffers you can use to search for variables that haven’t been escaped properly. Heck, you could even easily do a simple regex find across your views to look for unescaped data.