Clarify strip_tags and purify usage in yii rules for secure plain text input

I have an input form with some fields entered by an end user. The inputted data is sent in an email to the administrator. I would like to strip html tags and purify the user input.

One post I read on this subject indicated that I should both strip_tags and purify. I am currently doing this via Yii rules (rather than in beforeSave or by other methods). I have included a fragment of my rules below, for reference:

public function rules()


  return array(

    array('user_id, fromname, fromemail, message', 'required'),

    array('user_id', 'numerical', 'integerOnly'=>true),

    array('fromname', 'length', 'max'=>50),

    array('fromname','filter','filter'=>function($v){ return strip_tags($v);}),			

    array('fromname','filter','filter'=>array($obj=new CHtmlPurifier(),'purify')),			

    array('fromemail', 'length', 'max'=>150),

    array('fromemail','filter','filter'=>function($v){ return strip_tags($v);}),			

    array('fromemail','filter','filter'=>array($obj=new CHtmlPurifier(),'purify')),	


Questions (mostly from the standpoint of secure input):

  1. Does it matter if I run strip_tags before or after purify?

  2. Do I need to worry about encoding anywhere (in the form itself or in the purify call or…)?

  3. Is there a better or more efficient way to do this?

Any comments welcome!

thanks, Dylan

I think running strip_tags and HTML Purifier is bogus. strip_tags should be sufficient.

Just a small notice - for strip_tags() to be attached you may use this simplified form also:

'filter' => 'strip_tags'

Thank you both for the information. I will get rid of (in my case) the extraneous purify calls and save some keystrokes using the simplified call as suggested. I went back through my bookmarks of old yii posts & I think I must have misread one of them as I couldn’t find a post explicitly saying to do both purify & strip_tags, so apologies, red herring there on my part. Thanks again!


It might be worth using Purify after all.