Protection against XSS

does exist/is planned any protection against XSS attacks built into Yii? (for example, SafeHTML or something similar)

I just added CHtmlPurifier.

Wow, that was fast!

Just one note. HTMLPurifier is supposed to be better than any other filter, but it's a bit slow. I wonder if it would be possible to have both HTMLPurifier (which is supossed to be safer) and SafeHTML (which is faster) to give a choice to the developers, who would be free to decide which to use. If not, HTMLPurifier is cool and ok :slight_smile:

And I have a question: you placed the source code for HTML purifier in the vendors directory, but the modified source code of PEAR's gettext is inside the i18n directory. Isn't this inconsistent?

Also, there's a directory called adodb inside vendors, but only the licence file is contained there, I can't find the adodb library…

Thanks :slight_smile:

Yes, HTMLPurifier is big and slow. But it's the best so far. For most users, I believe they would prefer security to performance. So we won't include SafeHtml for the moment. Using caching techniques, the performance issue with HTMLPurifier can be overcome.

In general, we put all third-party code inside vendors directory.

But if we modify the code and create a new C*** class, we will move it out of vendors.

We are using the timestamp class from adodb, not the whole adodb library. That's why you only see a license file there.

For PEAR's gettext, only one file is used which is modified and becomes CGettextMoFile.

Quote

Yes, HTMLPurifier is big and slow. But it's the best so far. For most users, I believe they would prefer security to performance. So we won't include SafeHtml for the moment. Using caching techniques, the performance issue with HTMLPurifier can be overcome.

Agree. APC or some other code cache mandatory here then.

Quote

In general, we put all third-party code inside vendors directory.

But if we modify the code and create a new C*** class, we will move it out of vendors.

For PEAR's gettext, only one file is used which is modified and becomes CGettextMoFile.

Ok, I understand :D

Quote

We are using the timestamp class from adodb, not the whole adodb library. That's why you only see a license file there.

Ok.