Yii 1.1: XSS safe model content

1 follower

In this post I am going to describe a solution to make your yii-based web application safe from illegal content injections.

I am going to make a use of the the yii wrapped htmlpurifier class inside a behavior. this behavior could be attached to any model with declaring the attributes we would like to make them XSS safe.

I have wrote the following behavior :

class CSafeContentBehavior extends CActiveRecordBehavior
{
    public $attributes =array();
    protected $purifier;
 
    function __construct(){
        $this->purifier = new CHtmlPurifier;
    }
 
    public function beforeSave($event)
    {
        foreach($this->attributes as $attribute){
            $this->getOwner()->{$attribute} = $this->purifier->purify($this->getOwner()->{$attribute});
        }
    }
}

place this class in a file in your application directory, for example : application/behaviors/CSafeContentBehavior.php Now in your model you attach the behavior like this :

class Post extends CActiveRecord
{
 
public function behaviors(){
    return array(
        'CSafeContentBehavor' => array( 
            'class' => 'application.behaviors.CSafeContentBehavior',
            'attributes' => array('title', 'body'),
        ),
    );
}

Here we go. Our Post model will now purify title and body columns before each save operation.

Total 2 comments

#806 report it
fduch at 2010/02/26 03:39am
Another implementation

I think that this part "'attributes' => array('title', 'body')," better to implement as validator (similar as new CSafeValidator). To define behaviors for column in one place.

#812 report it
samdark at 2010/02/25 10:36am
Performance issue

CHtmlPurifier will be initialized every on model creation. Right?

Leave a comment

Please to leave your comment.

Write new article
  • Written by: phiras
  • Category: Tutorials
  • Yii Version: 1.1
  • Votes: +4
  • Viewed: 7,313 times
  • Created on: Feb 25, 2010
  • Last updated: never