I did panic a little when I saw that Sanitize was being deprecated. I use it in all my models before save to clean inputs of non-HTML data. I even extended the Sanitize class to use htmlspecialchars instead of htmlentities (have to preserve accented characters, etc.).
Anyway I prefer to sanitize input before being saved as opposed to just using h() on output. For non HTML fields I think a viable alternative is to use the filter functions in PHP, for example: http://php.net/manual/en/function.filter-var.php For HTML input I use the HTML Purifier library as a vendor package and use a component to clean the input before saving in the controller. Just updated the Brita component that was posted long time ago in the Bakery: http://bakery.cakephp.org/articles/debuggeddesigns/2008/11/04/brita-component-with-html-purifier -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups "CakePHP" group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/groups/opt_out.