sanitize post inputs


for actionCreate(), the attributes of the models are auto populate from $_POST[].

at where and how should i go about sanitizing the post inputs?

hi…anyone?? :unsure:

You can use HTML Purifier, but i don’t like this library because it is way too slow and the memory usage when enabled is just outrageous.

I am coming from Codeigniter and it has an awesome XSS Clean Filter that is lightweight, so i took the "Security Class" from Codeigniter 2.0 (see bit bucket and i made a component from it (be careful, if you do so, keep the codeigniter copyright, because is their work not ours)

So in the end, i have something like:


and it cleans everything coming from the post.

Also, you can use it for $_GET, because it is lightweight and it does an awesome job.


I will make use of the security class. I am not sure how to make a component for yii though… so I will just include and call the xss_clean function?

>> memory usage when enabled is just outrageous.

btw, does it means that I have to disable htmlpurifier?

Nope, ain’t going to work like this. Take a look at the Yii api to see how a component should be created.

Beside this, CI has some calls to it’s internal functions and you need to disable those.

I believe for somebody who doesn’t know about ci, then kohana’s security library is easier to understand.

If neither of those works for you, then go to and make a search after "filter user input" or "xss filter"

Nope, Yii uses lazy loading, so the component isn’t loaded till you call it first time.

So it is "disabled" by default.

I came across this while searching how to make a component…

Will try how to make a component of the CI xss filter…

Thanks again :)

I tried and able to make use of CI xss_clean().

Just to confirm something as I am new to all these…

If xss_clean("<b>aaaa</b>"); will able to see it in html bold?

So for eg, if my application has blog entry that has html entities such as <b>, which I wanted to ‘keep’ so they will display ‘correctly’, I can make use of xss_clean() or should I use htmlpurifier instead?

Xss clean removes only the “bad code”, doesn’t touch your formatting so is safe to use