Yii2, how to deal with XSS correctly?

@

@Twitt2017-06-07 00:31:10

Yii

@Twitt, 2017-06-07 00:31:10

The thing is:
Let's say I have a SignupForm model, the rules are written in it, they say the login and password are required, trim it, etc. etc., but there is one hindrance:
When you enter the <script>alert("hacked");script> code into one of the fields (let's say in about) - it will go directly to the database, and then when we will display this field this user, then this alert will pop up on his page when visiting him. So far, I have solved this problem in a very noobish way, in all views I have written Html::encode() for each parameter (which is just like routine). But I'm more than sure that you can simply make sure that this data gets into the database already safe when entering data in the SignupForm model itself. How to do it professionally? Register a validator, perhaps? I would like a correct example, thanks

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

M

Mi7teR, 2017-06-07
_

public function rules()
    {
        return [
                     ['field1','field2'],'filter','filter'=>'\yii\helpers\HtmlPurifier::process']
        ];
    }

www.yiiframework.com/doc-2.0/yii-helpers-htmlpurif...

S

Sergey Sobko, 2017-06-07
@Catzo0

so far I have solved this problem in a very noob way, in all views I have written Html::encode()

Why noob? Lol. The official Yii documentation says that all data received from the user must be output via HTML::encode(). Why? It's also written about it.
So, excuse me, but what prevents you from parsing the entered data and cleaning it from characters that are not allowed for you, immediately before inserting it into the database?