if a user enters
<script>alert(1);</script>
in a comment textarea it will show up to all users.
I save Strings with Active Record
$newcomment->comment = "$comment";
is there any escape-html-tags method by Yii Active Record or do i have to implement this by my own in front of the "$comment"?
is htmlentities() enough?
I think you just need this:
CHtml::encode($comment)
or
$newcomment->comment = CHtml::encode($comment);
And if you don’t want tags to be saved in your DB at all, you can use CHtmlPurifier with a filter rule:
public function rules()
{
// Prepare purifier for use as a filter
$purifier=new CHtmlPurifier;
$purifier->options=array(
'HTML.Allowed'=>'', // No HTML allowed
);
return array(
array('comment','filter','filter'=>array($purifier,'purify')),
);
}