For esay XSS protect, CHtml::linkTextEncoded() wanted

As the document said,

CHtml::link(string $text, mixed $url=’#’, array $htmlOptions=array ( ))

the $text [color="#FF0000"]It will NOT be HTML-encoded.[/color]

So that the output of content should be like this:

CHtml::link(CHtml::encode($comment_author_name), $comment_author_url);

After test, I found the $comment_author_url is also XSS secure, chars like <> will be encoded. That’s great!

The bad thing is: [color="#FF0000"]I need to write many many this kind of php code[/color]

CHtml::link(CHtml::encode($text), $url);

If I forget one CHtml::encode, it may be problem, and it is difficult to check.

My suggestion is: [color="#FF0000"]add a shortcut: CHtml::linkTextEncoded() = CHtml::link(CHtml::encode($text), $url);[/color]

If so, a full-text seach of CHtml::link() and CHtml::linkTextEncoded() will tell the possible XSS problem in the all the php code.

It’d be a great enhancement!

What about encoding input before saving to database at all?

You could use HtmlPurifier in request where form data is transmitted.

you can also use it to wrap contents from the database.