You are viewing revision #1 of this wiki article.
This is the latest version of this article.
In this post I am going to describe a solution to make your yii-based web application safe from illegal content injections.
I am going to make a use of the the yii wrapped htmlpurifier class inside a behavior. this behavior could be attached to any model with declaring the attributes we would like to make them XSS safe.
I have wrote the following behavior :
class CSafeContentBehavior extends CActiveRecordBehavior
{
public $attributes =array();
protected $purifier;
function __construct(){
$this->purifier = new CHtmlPurifier;
}
public function beforeSave($event)
{
foreach($this->attributes as $attribute){
$this->getOwner()->{$attribute} = $this->purifier->purify($this->getOwner()->{$attribute});
}
}
}
place this class in a file in your application directory, for example : application/behaviors/CSafeContentBehavior.php Now in your model you attach the behavior like this :
class Post extends CActiveRecord
{
public function behaviors(){
return array(
'CSafeContentBehavor' => array(
'class' => 'application.behaviors.CSafeContentBehavior',
'attributes' => array('title', 'body'),
),
);
}
Here we go. Our Post model will now purify title and body columns before each save operation.
Another implementation
I think that this part "'attributes' => array('title', 'body')," better to implement as validator (similar as new CSafeValidator). To define behaviors for column in one place.
Performance issue
CHtmlPurifier will be initialized every on model creation. Right?
If you have any questions, please ask in the forum instead.
Signup or Login in order to comment.