yii imperavi redactor widget is a great addition to yii. Now, we can provide rich text editor to our users. However, I am a bit concern about the security. Is yii-imperavi-redactor-widget safe from XSS attack and SQL Injection?
One of my favorite and must included extension is CmsInput. It can help purify and xssclean the field before saving to the database.
However, I have problem when combine these two exrtension.
public function actionCreate() {
$model = new Post;
// Uncomment the following line if AJAX validation is needed
// $this->performAjaxValidation($model);
if (isset($_POST['Post'])) {
$model->attributes = $_POST['Post'];
// Get the original `content` and putify it
$oriPost = Yii::app()->input->getOriginalPost('Post');
$model->content = Yii::app()->input->purify($oriPost['content']);
$model->content = Yii::app()->input->xssClean($model->content);
if ($model->save()) {
$this->redirect(array('view', 'id' => $model->id));
}
}
$this->render('create', array(
'model' => $model,
));
}
Above code is working very well with minimum requirement. But the great of redactor is that we can resize and position the image in left, center or right.
Using above code, the image size and position is back to the first time it is inserted.
It will work if I remove the xssClean method. But, I am a bit scared not having xss protection then.
Can somebody help me with this?
Thank you in advance,
Daniel