Best Way To Use Chtmlpurifier

menxaca · June 10, 2013, 3:12pm

Hi All,

I’m about to use CHtmlPurifier in order to clear any malicious code, I have been reading the doc and I found this:

Note: since HTML Purifier is a big package, its performance is not very good. You should consider either caching the purification result or purifying the user input before saving to database.

So I have doubts on how to use it, apparentely the best thing is to purify the user input before saving on db, I guess, by calling a custom class like this:




public funcion clearUserInput($text){

$p = new CHtmlPurifier();

$p->options = array('URI.AllowedSchemes'=>array(

  'http' => true,

  'https' => true,

));

$text = $p->purify($text);

}

So in every action that save data from a form… we would have something like this:




...

            if(isset($_POST['Post']))

            {        

                $model->attributes=$_POST['Post'];


                $this->clearUserInput($model->title);

                $this->clearUserInput($model->content);


                $model->save()


            }

...

Is this approach correct?

Thanks!

menxaca · June 11, 2013, 4:52pm

Anyone?

konapaz · June 11, 2013, 5:18pm

Hi menxaca

Today I post a similar issue

http://www.yiiframework.com/forum/index.php/topic/44129-remove-all-html-javascript-entities/page__view__findpost__p__209227

Yes it is corrected

you can also filter by rule validator in model


array('attribute1', 'filter', 'filter' => array(new CHtmlPurifier(), 'purify');