You need to handle this manually. Look at the Sanitize class for cake's built-in methods.
http://api.cakephp.org/class/sanitize If you don't need the user to enter any html at all, consider using the h() method while outputting your data, which will convert any html tags to their entities so they will no longer be interpreted by the browser as html. Cheers, Adam ----- Original Message ----- From: "Marcel" <vermas...@gmail.com> To: <cake-php@googlegroups.com> Sent: Wednesday, June 17, 2009 10:36 PM Subject: CakePHP XSS protection? > > Hi, > > I'm using the save(), saveField() and saveAll() model methods to save > userdata directly to the database. > On some sites I've read that CakePHP does things against XSS, but when > I'm trying to save the standard example xss string > > <script type="text/javascript">alert("XSS");</script> > > to the database it's saved as it is. So the alert box is shown when e.g. > I just do a findAll() and print it out on a table. > > Is there an easy way to solve this issue? Do I have to handle this in > beforeSave? Or can it be done in $validate? > > > Marcel > > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
