Remove All Html - Javascript Entities


I want your opinion about removing all no human-text (in addition html,php,javascript tags) sympols from a textarea for max security

I used CHtmlPurifier() to purify the field but not work with encoded characters like (maybe needs some settings)

<script src=></script>

I could use preg_replace but I want a way based on Yii

How to achieve that with the minimum code?


I found an option ‘Filter.ExtractStyleBlocks.Escaping’=>true for CHtmlPurifier but seems not works!

Also I found a similar thread

So, how to achieve that?


U can try this

Thank you for response

but I think this extension is not the appropriate for this issue

Also I want to use only Yii kernel API and not an extension

Any other suggestion or opinion ?


u can try this also one hope it will help

I have already tested it but not works for special charecters like &lt &gt etc :mellow:

A trick I found to do that is by this

 $attr = CHtml::decode(strip_tags($attribute));

 $p = new CHtmlPurifier();

 return $p->purify($attr);

Or better

return  preg_replace("/<(.*?)>/i", '', $p->purify($attr));

Altough it works, may it is not a good way to do that,

Is there equivelant function or setting in Yii ?

< or > are not special chars, they are both html entities.

This means in this stage, they were encoded using something similar to what CHtml::encode() does (php’s htmlspecialchars() ) so if you want to do it right, first you need to decode the entities using CHtml::decode() as you did. In your example, strip_tags doesn’t make any sense, it has nothing to strip as there are no tags.

So the full approach would simply be:

$p = new CHtmlPurifier();

return $p->purify(CHtml::decode($attribute));

Also, HtmlPurifier has a huge set of settings which can be used to tune it to get to the light.

Thank you @twisted1919

The only thing that not undrestood very well is the strip_tags that is not necessary, why?,

if user enter a <script>alert(‘a’);</script> then the strip_tags removes <script></script> right ?

I mention the HtmlPurifier takes away all the html entities that is the reason strip_tags is not necessary ?



not removes <?php ?> tags but replace with

&lt;?php echo ‘a’; ?&gt;

for that I post

preg_replace("/&lt;(.*?)&gt;/i", '', $p->purify($attr));

Ι will appreciate your opinions :)

Hi KonApaz,

I have experimented the same problem, but I’m kind of new about XSS security so I don’t know how dangerous is to allow people save this into your DB &lt;?php echo ‘a’; ?&gt;

I think that is only ugly to see but nothing else, could you explain me quickly why do you want to strip these special characters &lt &gt? is not enough secure only with

array('attribute1', 'filter', 'filter' => array(new CHtmlPurifier(), 'purify')),


Hi menxaca

I want to be absolutely sure for it! So, I want extra measures, I dont know if CHtmlPurifier() quarantee hundred percent to prevent all hacking combination, this could be answered by Yii team developers.

Yeah… You are right, I will try to search a bit more about it, but surely I will follow your approach. Thank you!