As the document said, http://www.yiiframework.com/doc/api/CHtml#link-detail
CHtml::link(string $text, mixed $url=’#’, array $htmlOptions=array ( ))
the $text [color="#FF0000"]It will NOT be HTML-encoded.[/color]
So that the output of content should be like this:
CHtml::link(CHtml::encode($comment_author_name), $comment_author_url);
After test, I found the $comment_author_url is also XSS secure, chars like <> will be encoded. That’s great!
The bad thing is: [color="#FF0000"]I need to write many many this kind of php code[/color]
CHtml::link(CHtml::encode($text), $url);
If I forget one CHtml::encode, it may be problem, and it is difficult to check.
My suggestion is: [color="#FF0000"]add a shortcut: CHtml::linkTextEncoded() = CHtml::link(CHtml::encode($text), $url);[/color]
If so, a full-text seach of CHtml::link() and CHtml::linkTextEncoded() will tell the possible XSS problem in the all the php code.