Depends on if you will reuse the content in various places that do not accept html entities... although I use h() in my views, and if I need to strip unweildy html from large blocks of text I'll do it in a beforeSave callback - therefore it only does it once.
Cheers, Adam ----- Original Message ----- From: "Marcel" <vermas...@gmail.com> To: <cake-php@googlegroups.com> Sent: Wednesday, June 17, 2009 10:58 PM Subject: Re: CakePHP XSS protection? > > Adam Royle wrote: >> You need to handle this manually. Look at the Sanitize class for cake's >> built-in methods. >> >> http://api.cakephp.org/class/sanitize >> >> If you don't need the user to enter any html at all, consider using the >> h() >> method while outputting your data, which will convert any html tags to >> their >> entities so they will no longer be interpreted by the browser as html. >> >> Cheers, >> Adam > > Thanks! > Should this also be used while saving data? Or only in the views? > > Marcel > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---