hi,
for actionCreate(), the attributes of the models are auto populate from $_POST[].
at where and how should i go about sanitizing the post inputs?
hi,
for actionCreate(), the attributes of the models are auto populate from $_POST[].
at where and how should i go about sanitizing the post inputs?
hi…anyone?? 
You can use HTML Purifier, but i don’t like this library because it is way too slow and the memory usage when enabled is just outrageous.
I am coming from Codeigniter and it has an awesome XSS Clean Filter that is lightweight, so i took the "Security Class" from Codeigniter 2.0 (see bit bucket https://bitbucket.org/ellislab/codeigniter/src/c91f50b04b13/system/libraries/Security.php) and i made a component from it (be careful, if you do so, keep the codeigniter copyright, because is their work not ours)
So in the end, i have something like:
$this->attributes=XssClean::clean($_POST);
and it cleans everything coming from the post.
Also, you can use it for $_GET, because it is lightweight and it does an awesome job.
Thanks!!
I will make use of the security class. I am not sure how to make a component for yii though… so I will just include and call the xss_clean function?
>> memory usage when enabled is just outrageous.
btw, does it means that I have to disable htmlpurifier?
Nope, ain’t going to work like this. Take a look at the Yii api to see how a component should be created.
Beside this, CI has some calls to it’s internal functions and you need to disable those.
I believe for somebody who doesn’t know about ci, then kohana’s security library is easier to understand.
If neither of those works for you, then go to phpclasses.org and make a search after "filter user input" or "xss filter"
Nope, Yii uses lazy loading, so the component isn’t loaded till you call it first time.
So it is "disabled" by default.
I came across this while searching how to make a component…
http://www.yiiframework.com/forum/index.php?/topic/13280-how-to-create-hello-world-component/
Will try how to make a component of the CI xss filter…
Thanks again 
I tried and able to make use of CI xss_clean().
Just to confirm something as I am new to all these…
If xss_clean("<b>aaaa</b>"); will able to see it in html bold?
So for eg, if my application has blog entry that has html entities such as <b>, which I wanted to ‘keep’ so they will display ‘correctly’, I can make use of xss_clean() or should I use htmlpurifier instead?
Xss clean removes only the “bad code”, doesn’t touch your formatting so is safe to use