Difference between #8 and #9 of
How to write secure Yii1 applications

Revision #9 has been created by acorncom on May 17, 2012, 4:44:34 PM with the memo:

fixed the striptags function, it's actually strip_tags
« previous (#8) next (#11) »

Changes

Title unchanged

How to write secure Yii applications

Category unchanged

How-tos

Yii version unchanged

Tags unchanged

security, authorization, authentication, XSS, SQL injection

Content changed

[...]
This function is in fact a wrapper on `htmlspecialchars()` with your application's characters set
(to be exact, it's not a charset but a character encoding).
So if your texts are not (yet) in UTF-8, you should declare a charset in the global config
(e.g. `'charset' => 'ISO-8859-1'` in the first level of "protected/config/main.php").

You may want to apply `strip_tags()`, to remove HTML/XML tags before escaping.
Beware, this function is not secure, so do not use it without `CHtml::encode()`.

#### Rich text (HTML)

If you want to allow HTML in the user input, then you have to display it raw.
[...]
80 0
114 followers
Viewed: 310 987 times
Version: 1.1
Category: How-tos
Tags: authentication, authorization, security, SQL injection, XSS
Written by: François Gannaz
Last updated by: François Gannaz
Created on: Nov 22, 2011
Last updated: 2 years ago
Update Article
Revert to #8 | Revert to #9

Revisions

View all history