Question for inject html

The function rules() in my model, I code:


	'level, updateTime, publish',





But if I inject html (firebug):

<div class="input">

	<label for="User_username" class="label">Username</label>

	<input type="text" value="admin" maxlength="19" id="User_username" name="User[username]">


I still can change username field, if so my website isn’t safe, what is solution for that?


Dont really understand your question. Why don’t you want to change the username? Your question isn’t properly written. Could you be more specific?

IMHO, it is the task of the programmer to securely program the application to handle those modifications on the server. In my CMSs for example, I double check the username against the database and make them unique, the validation of the username against the DB with their correspondent passwords and salt values will find out you are doing shifty business.

If you modify the username on the client and I have just dropped the details of user: peter instead of admin, I will immediately detect if you have changed the username and give you a nice message or get you out of the application with a nice report sent to the administrator.


That means is I should check all what I don’t allow change value inside controller. Right?

Based on the documentation:

So if you don’t have username on update scenario, i don’t think it can be massively assigned.

Not sure though … just my thought based on the docs.

Check the whole rules, if you have some general rule (without scenario) it will be applied to each scenario, including update.

Delete all rules about user_name, and you will notice that the username will not be massively assigned.

If you have some doubt, post here all your rules, and we’ll help you.


Did you solved?

What was the problem? Pease, post your solution here for help future readers of the forum!


                'id, password, createTime',





I don’t want end-user can modify id, password, createTime fields by the way inject html in browser. I hope that I right.

That is correct, but a better design is to remove all standard validators and mark as safe the field you need.

Is the logic of "allow what is needed" against "forbid what is dangerous".

Anyway, as you noticed, this solution work fine too.

Thank you so much, zaccaria!

If I have any question, I will ask you. :D