This might be a stupid question but is there an automatic way for my ActiveRecord variables to be run through HTML::encode so they don’t allow <script>alert(‘test’);</script> or <iframe src=http://google.com></iframe> on text fields? I thought safe did this automatically?
public function afterFind()
$this->Comments = Html::encode($this->Comments);
You could, though. Just extend the ActiveRecord class and have your models inherit it, override some methods (one(), all() ?) and format as needed. You shouldn’t though, like samdark said.
Just get in to the habit of escaping all user supplied output within your views. There’s codesniffers you can use to search for variables that haven’t been escaped properly. Heck, you could even easily do a simple regex find across your views to look for unescaped data.