I’m new to Yii and working on my first project. I got a problem with CHtmlPurifier : it seems not to be filtering anything. I’m sure I missed something obvious.
The value “javascript:alert(‘hello’);” is a plain string (from the view of CHtmlPurifier), not HTML and CHtmlPurifier has nothing to do with plain strings. Try this:
Ah yes, indeed, it’s filtering the tags all right ! I believed that the URI.AllowedSchemes statement would prevent other schemes being used. So if I want to make sure nothing but http or https URLs are accepted, I need to use another method ?
Ahh I see ! In fact I may not be using the right tool for the job, then. The URL is sent through POST and comes from another script that grabs it as a URL, not a link. I’m just trying to avoid someone crafting a POST request and getting in a poisoned URL. But there is no HTML element per se. My mistake !