Yii and XSS, where to escape the data

xssyii

Where to escape the user input in Yii?

Should I call CHtml::encode(strip_tags()) before saving them in to db?
Or I should encode them rather right in the view, before echo?
Is there a way to automatically encode input text in validation?
Does validation by [a-zA-Z0-9]* is the best way to filter injections in validation?

Best Answer

For the first one this is my personal opinion but I would do as you said: CHtml::encode(strip_tags()) before saving the data. The main advantage of doing it before is that if you are getting the datas from different medium (a website, an api, ...) you'll be sure that the retrieved data are safe.

For the second point I don't know if there is a specific method to automatically encode the input text, but you could use one of the beforeValidate() and beforeSave() methods in your model to do it!

For security in yii I invite you to check the wiki about writing secure yii applications

Related Solutions

Best way to handle security and avoid XSS with user entered URLs

If you think URLs can't contain code, think again!

https://owasp.org/www-community/xss-filter-evasion-cheatsheet

Read that, and weep.

Here's how we do it on Stack Overflow:

/// <summary>
/// returns "safe" URL, stripping anything outside normal charsets for URL
/// </summary>
public static string SanitizeUrl(string url)
{
    return Regex.Replace(url, @"[^-A-Za-z0-9+&@#/%?=~_|!:,.;\(\)]", "");
}

R – Sanitize input XSS and HTML input in rails

What about the xss_terminate plugin ?

Best Answer

Related Solutions

Best way to handle security and avoid XSS with user entered URLs

R – Sanitize input XSS and HTML input in rails

Related Topic