Hi All,
I’m about to use CHtmlPurifier in order to clear any malicious code, I have been reading the doc and I found this:
Note: since HTML Purifier is a big package, its performance is not very good. You should consider either caching the purification result or purifying the user input before saving to database.
So I have doubts on how to use it, apparentely the best thing is to purify the user input before saving on db, I guess, by calling a custom class like this:
public funcion clearUserInput($text){
$p = new CHtmlPurifier();
$p->options = array('URI.AllowedSchemes'=>array(
'http' => true,
'https' => true,
));
$text = $p->purify($text);
}
So in every action that save data from a form… we would have something like this:
...
if(isset($_POST['Post']))
{
$model->attributes=$_POST['Post'];
$this->clearUserInput($model->title);
$this->clearUserInput($model->content);
$model->save()
}
...
Is this approach correct?
Thanks!