You can use it in beforeAction function also by each controller wise instead of each actions in a controller
function beforeAction($action) {
// your custom code here, if you want the code to run before action filters,
// which are triggered on the [[EVENT_BEFORE_ACTION]] event, e.g. PageCache or AccessControl
if (!parent::beforeAction($action)) {
return false;
}
// other custom code here
return true; // or false to not run the action
}
@cluwong
This is not an answer, but I’m wondering why you wanted to do it, because it looks to me a very strange thing to apply HtmlPurifier::process() to each and every request parameters.
You could have a base Controller implementing it, and inherit from it for all containers. But as @softark says, this looks quite odd. Why do you want to do that? Oo
I’m trying to avoid xss attack via the url params. Some of these don’t go through model validations so I thought i about having it processed at a single place (ie globally). Is this not the right way to do?
As far as I understand, the protection against XSS attack should be done by escaping the possibly dirty data in the phase of output, not by sanitizing the data in the phase of input.
It’s true that some of the GET parameters can be dangerous when they are displayed without escaping. For example, you may want to show the key words or phrases used to query the data in a search result page. But it’s enough to use Html::encode() in order to make it safe. No need to call heavy and slow HtmlPurifier::process().
Please don’t use Html::encode() for validation purpose. It might not be clear in my previous post, but what I wanted to say was this: Usually you only need to use Html::encoce() when you output an possibly unclean data.
<?= Html::encode($keywords) ?>
In the first place, there’s not so many use cases where you should use HtmlPurifier.
IMO, it is useful ONLY WHEN you allow the user to use HTML tags in the input, e.g., the body content of a blog post, a comment to the blog post, and something like those where you may want to allow the user to use some HTML tags. Other than those limited use cases, you may completely forget HtmlPurifier.