I have an input form with some fields entered by an end user. The inputted data is sent in an email to the administrator. I would like to strip html tags and purify the user input.
One post I read on this subject indicated that I should both strip_tags and purify. I am currently doing this via Yii rules (rather than in beforeSave or by other methods). I have included a fragment of my rules below, for reference:
public function rules()
{
return array(
array('user_id, fromname, fromemail, message', 'required'),
array('user_id', 'numerical', 'integerOnly'=>true),
array('fromname', 'length', 'max'=>50),
array('fromname','filter','filter'=>function($v){ return strip_tags($v);}),
array('fromname','filter','filter'=>array($obj=new CHtmlPurifier(),'purify')),
array('fromemail', 'length', 'max'=>150),
array('fromemail','filter','filter'=>function($v){ return strip_tags($v);}),
array('fromemail','filter','filter'=>array($obj=new CHtmlPurifier(),'purify')),
etc...
Questions (mostly from the standpoint of secure input):
-
Does it matter if I run strip_tags before or after purify?
-
Do I need to worry about encoding anywhere (in the form itself or in the purify call or…)?
-
Is there a better or more efficient way to do this?
Any comments welcome!
thanks, Dylan