Hi
I want your opinion about removing all no human-text (in addition html,php,javascript tags) sympols from a textarea for max security
I used CHtmlPurifier() to purify the field but not work with encoded characters like (maybe needs some settings)
<script src=http://www.example.com/malicious-code.js></script>
I could use preg_replace but I want a way based on Yii
How to achieve that with the minimum code?
Thanks
I found an option ‘Filter.ExtractStyleBlocks.Escaping’=>true for CHtmlPurifier but seems not works!
Also I found a similar thread
http://www.yiiframework.com/forum/index.php/topic/36985-stop-the-chtmlpurifier-escaping-the-char/
So, how to achieve that?
Thank you for response
but I think this extension is not the appropriate for this issue
Also I want to use only Yii kernel API and not an extension
Any other suggestion or opinion ?
Hi
u can try this also one hope it will help
http://www.yiiframework.com/forum/index.php/topic/40611-using-chtmlpurifier-safeiframe-working/
I have already tested it but not works for special charecters like < > etc 
A trick I found to do that is by this
$attr = CHtml::decode(strip_tags($attribute));
$p = new CHtmlPurifier();
return $p->purify($attr);
Or better
return preg_replace("/<(.*?)>/i", '', $p->purify($attr));
Altough it works, may it is not a good way to do that,
Is there equivelant function or setting in Yii ?
< or > are not special chars, they are both html entities.
This means in this stage, they were encoded using something similar to what CHtml::encode() does (php’s htmlspecialchars() ) so if you want to do it right, first you need to decode the entities using CHtml::decode() as you did. In your example, strip_tags doesn’t make any sense, it has nothing to strip as there are no tags.
So the full approach would simply be:
$p = new CHtmlPurifier();
return $p->purify(CHtml::decode($attribute));
Also, HtmlPurifier has a huge set of settings which can be used to tune it to get to the light.
Thank you @twisted1919
The only thing that not undrestood very well is the strip_tags that is not necessary, why?,
if user enter a <script>alert(‘a’);</script> then the strip_tags removes <script></script> right ?
I mention the HtmlPurifier takes away all the html entities that is the reason strip_tags is not necessary ?
also
$p->purify(CHtml::decode($attribute))
not removes <?php ?> tags but replace with
<?php echo ‘a’; ?>
for that I post
preg_replace("/<(.*?)>/i", '', $p->purify($attr));
Ι will appreciate your opinions 
Hi KonApaz,
I have experimented the same problem, but I’m kind of new about XSS security so I don’t know how dangerous is to allow people save this into your DB <?php echo ‘a’; ?>
I think that is only ugly to see but nothing else, could you explain me quickly why do you want to strip these special characters < >? is not enough secure only with
array('attribute1', 'filter', 'filter' => array(new CHtmlPurifier(), 'purify')),
Thanks!
Hi menxaca
I want to be absolutely sure for it! So, I want extra measures, I dont know if CHtmlPurifier() quarantee hundred percent to prevent all hacking combination, this could be answered by Yii team developers.
Yeah… You are right, I will try to search a bit more about it, but surely I will follow your approach. Thank you!