[SOLVED] HTML tag problem in Yii

I have a problem related to view a content from database which had html tag inside. Here a content of table content in database

<b>Hello world</b>

when some users to view detail, the content is displayed as <b>Hello world</b> not like Hello world, can anyone help me to solve this? Thank You

Show please, how you render the view?

usually, people are confuse about how to show the "<b>" instead of its format effect. thats way ( i think) yii has already overcome this kind of problem.

if you put <b> hello </b> on your DB, with out yii it will shows as hello and that was bad thing, but with yii (and other framework i guess) it change the <b> hello </b> to &gt;b&lt; hello &gt;/b&lt; so in the view it will still shows as <b> hello </b> instead of hello.

you know my friend, in MVC you dont put any formatting in the model, so… i cant find the right answer to your problem, it think the answer would be something around disabling html special character wrote some where in the yii cores.

but this is my recommendation, put your tag on your view, if you had many varies format, make a widget to do so…

For security reasons, the default Gii produced code uses CHtml::encode on all output fields.

So try and remove those first and see if it fixes it. It probably does.

It’s a good rule to sanitise output, not the actual content.

You could use a different form of purification, like html tidy, etc.

But, I agree with the others that you should - as a rule - not store formatting in the database.

It comes back to bite you when you least expect it! :)

One exception to this is output captured from various html editors, like CKEditor etc.

thanks jacmoe its work, just remove CHtml::encode(), and add strip_tags() function to replace it (viewing in plain text)

But if I’m not mistaken, these editors already contains internal purification functions, so produced output is XSS and other security-issues safe. That is, why storing their output in DB isn’t a violation of security standards. Am I right?

Yes, usually. :)

But it’s always a good idea to store the raw user input, and then sanitise later.

That way you can catch malicious users. In theory anyway.

Most editors sanitises the content, that’s true.