[Solved] Global purify request params

Currently the following code is added to each controller’s action function
$param = HtmlPurifier::process(Yii::$app->request->get(‘param’));

The code is repeated per param.

Is there a way to config it so this is done before getting into the action function and process all the request params?

Hi Cluwong,

You can use it in beforeAction function also by each controller wise instead of each actions in a controller

function beforeAction($action) {
    // your custom code here, if you want the code to run before action filters,
    // which are triggered on the [[EVENT_BEFORE_ACTION]] event, e.g. PageCache or AccessControl

    if (!parent::beforeAction($action)) {
        return false;

    // other custom code here

    return true; // or false to not run the action

For more information => https://www.yiiframework.com/doc/api/2.0/yii-base-controller#beforeAction()-detail

This is still repeated for all Controller files. Is there a way to config in a single place and apply to all?

This is not an answer, but I’m wondering why you wanted to do it, because it looks to me a very strange thing to apply HtmlPurifier::process() to each and every request parameters.

You could have a base Controller implementing it, and inherit from it for all containers. But as @softark says, this looks quite odd. Why do you want to do that? Oo

I’m trying to avoid xss attack via the url params. Some of these don’t go through model validations so I thought i about having it processed at a single place (ie globally). Is this not the right way to do?

Hi Cluwong,

If you really want to achieve globally just go ahead with events like “onBeginRequest” or use a new traits that connect to all controllers by default.


As far as I understand, the protection against XSS attack should be done by escaping the possibly dirty data in the phase of output, not by sanitizing the data in the phase of input.

It’s true that some of the GET parameters can be dangerous when they are displayed without escaping. For example, you may want to show the key words or phrases used to query the data in a search result page. But it’s enough to use Html::encode() in order to make it safe. No need to call heavy and slow HtmlPurifier::process().

Thanks for the links. That makes sense.

While on related topic, currently using HtmlPurifier::process() as filter validator for string fields in a model, by following example to prevent xss in https://stackoverflow.com/questions/30124559/yii2-how-to-validate-xss-cross-site-scripting-in-form-model-input , is that the correct way to ensure clean data are saved to db or using Html::encode() will be sufficient?

Please don’t use Html::encode() for validation purpose. It might not be clear in my previous post, but what I wanted to say was this: Usually you only need to use Html::encoce() when you output an possibly unclean data.

<?= Html::encode($keywords) ?>

In the first place, there’s not so many use cases where you should use HtmlPurifier.
IMO, it is useful ONLY WHEN you allow the user to use HTML tags in the input, e.g., the body content of a blog post, a comment to the blog post, and something like those where you may want to allow the user to use some HTML tags. Other than those limited use cases, you may completely forget HtmlPurifier.

Guide > Security > Best Practices

1 Like