In this post I am going to describe a solution to make your yii-based web application safe from illegal content injections.
I am going to make a use of the the yii wrapped htmlpurifier class inside a behavior. this behavior could be attached to any model with declaring the attributes we would like to make them XSS safe.
I have wrote the following behavior :
class CSafeContentBehavior extends CActiveRecordBehavior
{
public $attributes =array();
protected $purifier;
function __construct(){
$this->purifier = new CHtmlPurifier;
}
public function beforeSave($event)
{
foreach($this->attributes as $attribute){
$this->getOwner()->{$attribute} = $this->purifier->purify($this->getOwner()->{$attribute});
}
}
}
place this class in a file in your application directory, for example : application/behaviors/CSafeContentBehavior.php
Now in your model you attach the behavior like this :
class Post extends CActiveRecord
{
public function behaviors(){
return array(
'CSafeContentBehavor' => array(
'class' => 'application.behaviors.CSafeContentBehavior',
'attributes' => array('title', 'body'),
),
);
}
Here we go. Our Post model will now purify title and body columns before each save operation.
