Purify your inputs in Yii
When working with my models in Yii a tried to inject a javascript in a text area, a simple alert. And the alert popped up when I went to browse the content of my model.
Hopefully, we can prevent javascript injection, and more by using a php library called HTMLPurifier.
Yii does include this library as a widget that you can use inside your model’s validation rules.
Here goes the code I used (taken from the Yii documentation):
array('your_text_field','filter','filter'=>array($obj=new CHtmlPurifier(),'purify')),All html and scripts will be removed (if between the <script> tag).
If you use
> < // as delimiter of your tags
the content will not be evaluated but just stored.
Yep, that’s the beauty of using a kick ass framework as Yii !
For the Java/Jsp lovers there seems to be an equivalent (which I haven’t evaluated) :
antiSamy
Smashing Magazine
Abduzeedo