In this article, we will describe a WEB-based application to avoid illegal content injection. We need to use the htmlpurifier class in an action, which can enhance any model and indicate the attributes we want to make them XSS secure.
In this article, we will describe a WEB-based application to avoid illegal content injection.
We need to use the htmlpurifier class in an action, which can enhance any model and indicate the attributes we want to make them XSS secure.
I wrote the following behavior:
class CSafeContentBehavior extends CActiveRecordBehavior { public $attributes =array(); protected $purifier; function __construct(){ $this->purifier = new CHtmlPurifier; } public function beforeSave($event) { foreach($this->attributes as $attribute){ $this->getOwner()->{$attribute} = $this->purifier->purify($this->getOwner()->{$attribute}); } } }
Put this class in your application directory, such as application/behaviors/CSafeContentBehavior. php. Now you write the following in the Model behavior:
class Post extends CActiveRecord { public function behaviors(){ return array( 'CSafeContentBehavor' => array( 'class' => 'application.behaviors.CSafeContentBehavior', 'attributes' => array('title', 'body'), ), ); }
Now we can start. Our post model clears the title and content columns in each save operation.
Address: http://www.yiiframework.com/wiki/67/xss-safe-model-content/