Active Record and <script>alert(1)</script> problem

if a user enters


in a comment textarea it will show up to all users.

I save Strings with Active Record

$newcomment->comment = "$comment";

is there any escape-html-tags method by Yii Active Record or do i have to implement this by my own in front of the "$comment"?

is htmlentities() enough?

I think you just need this:



$newcomment->comment = CHtml::encode($comment);

And if you don’t want tags to be saved in your DB at all, you can use CHtmlPurifier with a filter rule:

    public function rules()


        // Prepare purifier for use as a filter

        $purifier=new CHtmlPurifier;


            'HTML.Allowed'=>'', 	// No HTML allowed


        return array(