Yii-Imperavi-Redactor-Widget + Cmsinput

yii imperavi redactor widget is a great addition to yii. Now, we can provide rich text editor to our users. However, I am a bit concern about the security. Is yii-imperavi-redactor-widget safe from XSS attack and SQL Injection?

One of my favorite and must included extension is CmsInput. It can help purify and xssclean the field before saving to the database.

However, I have problem when combine these two exrtension.

public function actionCreate() {

        $model = new Post;


        // Uncomment the following line if AJAX validation is needed

        // $this->performAjaxValidation($model);


        if (isset($_POST['Post'])) {

            $model->attributes = $_POST['Post'];


            // Get the original `content` and putify it

            $oriPost = Yii::app()->input->getOriginalPost('Post');

            $model->content = Yii::app()->input->purify($oriPost['content']);

            $model->content = Yii::app()->input->xssClean($model->content);


            if ($model->save()) {

                $this->redirect(array('view', 'id' => $model->id));




        $this->render('create', array(

            'model' => $model,



Above code is working very well with minimum requirement. But the great of redactor is that we can resize and position the image in left, center or right.

Using above code, the image size and position is back to the first time it is inserted.

It will work if I remove the xssClean method. But, I am a bit scared not having xss protection then.

Can somebody help me with this?

Thank you in advance,


I am looking everywhere but could not get the answer yet. I was wondering what is the difference between using CmsInput->xssClean with enableCsrf? Are they both the same? Is it safe to say that I can remove the xssClean since I already enableCsrf?

Thank you in advance.

Kind regards,


+1 for this question. it is my concern too.