I’ve been using the CmsInput extension to filter/sanitize input from users:
http://www.yiiframework.com/extension/input/
My question is:
Is there any reason to do this?
I always validate inputs, and also bind parameters, avoiding such statements as
UPDATE account SET name=’$name’
so, I shouldn’t need this extension.
Can someone tell me if there’s a really compelling reason to use CmsInput given Yii’s powerful model validation and parameter binding functionality?
Emily, I have not used this extension personally.
If you are already filtering your inputs, using bind parameters, the only thing I would suggest is to also consider other security helpers such as yii’s version of CHtmlPurifier etc.
I do not think it is a matter of need but a matter of convenience and preference as long as you take necessary precautions.
Seal,
Thanks for the reply. However, I’m still curious. It seems that binding parameters GIVES me input filtering. Can anyone answer–why would I bother with a 3rd party extension?
Thanks,
Emily
Can anyone else weigh in here? This isn’t a matter of mere preference. If Yii’s binding mechanism filters inputs from the user, then using something like CmsInput simply adds complexity and inefficiency. (Not to mention the fact that, a perfectly legitimate user input, say, for a password field, with a value of “aa&bb” will get turned into “aa&bb;” by CmsInput’s filter! It adds a semicolon for security, but that messes up the user’s password input.)
Again, my question is, can someone provide me a compelling reason to use CmsInput, if I’m actually binding parameters carefully?
Thanks in advance!
Well, yes you need to continue using the filter.
First thing first, your " (Not to mention the fact that, a perfectly legitimate user input, say, for a password field, with a value of “aa&bb” will get turned into “aa&bb;” by CmsInput’s filter! It adds a semicolon for security, but that messes up the user’s password input.)" affirmation is not completely true. The filter default cleaning method can be changed in one that will not encode the input. The encoding is happening by default because 90% of the developers won’t encode the output when echo-ing, which makes room for xss exploits.
Next, in a web application is not all about sql injection (which is anyway prevented by Yii’s param binding mechanism, same mechanism that you are talking about and believe if using only this will keep you app secure) but you also need to avoid xss exploits, which is actually what this filter does(please read about xss exploits, yii will not help you avoid those unless you use html purifer which is pretty heavy and also, it is incorporated in the input extension).
As i explained in the extension description, use CmsInput::purify() to clean only the content that comes from a text editor like ckeditor or tinymce, and use CmsInput::xssClean() to clean any other content type.
The reason why you should use it like so is because it makes no sense to use CmsInput::purify() on a input field that doesn’t have HTML content, because it is too slow, instead use CmsInput::xssClean() which will make sure the content doesn’t have any malicous code and stick to CmsInput::purify() for html only content
In my applications, i use the extension like :
'input'=>array(
'class' => 'CmsInput',
'cleanPost' => true,
'cleanGet' => true,
'cleanMethod' => 'stripClean',
),
Then when i need to retrieve the attributes of a model, i only do:
$model->attributes=Yii::app()->input->post(get_class($model));
//if i have an html attribute
$originalPost=Yii::app()->input->getOriginalPost(get_class($model));
$model->htmlContent=Yii::app()->input->purify($originalPost['content']);
$model->save();
As a conclusion, stick to it, you have no reason to stop using it.
[l.e: quick test an xss exploit]:
$code='<script>alert("Really?");</script>';
echo $code;
//do the same with the CmsInput
$code=Yii::app()->input->xssClean($code);
echo $code;
Now think that $code can be added by a user via a textarea where you allow any html content and you have no way to "filter" it with yii only.
One reason I can think of, I think ( 
) is in the case in which you do not use the values inputted to record into the DB. That use case is handled by Yii’s (and in turn PDO, I think) SQL sanitation. Rather, the case I’m referring to is when you log the values submitted.
For example, I’m writing this extension that validates input (CValidator extending class). In case of validation failure, I’m logging a message (Yii::log()) and put into it the value submitted. I was afraid that this can be exploited in some way to hack the system so I’m on a search for a “general” sanitizing capability (and this is how I stumbled upon this thread, BTW).
If I set on the config/main.php like above. Are this line
$model->attributes=Yii::app()->input->post(get_class($model));
and this line
$model->attributes=$_POST[get_class($model)];
going to produce the same result?
Thank you in advance.
Hi!
The extension works if we enable the URLs in path format? In my main.php (config) I have:
'input' => array (
'class' => 'CmsInput'
'cleanPost' => true,
'cleanGet' => true,
'cleanMethod' => 'stripClean'
)
I noticed that when I was not using URLs in path format, the app was clearing the $_POST and $_GET automatically, but when i enabled the URLs in path to format the extension is no longer working? Do I need to change something in my config to start working again or extension can not be used in this situation?
So,
this is working: www.site.com/index.php?r=user/login
this is not working: www.site.com/index.php/user/login/
I do apologise to resurrect this thread, since this is the popular thread when I search from google. I have been asked this question in several places but no answer yet … ;(
The situation is that I am using this input extension and also I use the yii-imperavi-redactor-widget. In order to get the clean content, I use below code
public function actionCreate() {
$model = new Post;
// Uncomment the following line if AJAX validation is needed
// $this->performAjaxValidation($model);
if (isset($_POST['Post'])) {
$model->attributes = $_POST['Post'];
// Get the original `content` and putify it
$oriPost = Yii::app()->input->getOriginalPost('Post');
$model->content = Yii::app()->input->purify($oriPost['content']);
$model->content = Yii::app()->input->xssClean($model->content);
if ($model->save()) {
$this->redirect(array('view', 'id' => $model->id));
}
}
$this->render('create', array(
'model' => $model,
));
}
It is working nicely. Until we add image and change its position and size. The changes will not be saved to the database. My trial found that this code
$model->content = Yii::app()->input->xssClean($model->content);
will remove the style attribute from tag <img>.
Anyone can help me on this?
Thnak you in advance.
Kind regards,
Daniel
PS: I do really apologise if this is annnoying, but I am really desperate to make this work…