On Jun 17, 2:36 pm, Marcel <vermas...@gmail.com> wrote:
> Hi,
>
> I'm using the save(), saveField() and saveAll() model methods to save
> userdata directly to the database.
> On some sites I've read that CakePHP does things against XSS, but when
> I'm trying to save the standard example xss string
>
> <script type="text/javascript">alert("XSS");</script>
>
> to the database it's saved as it is. So the alert box is shown when e.g.
> I just do a findAll() and print it out on a table.
>
> Is there an easy way to solve this issue? Do I have to handle this in
> beforeSave? Or can it be done in $validate?
following the mantra of escape input, filter output - you don't /need/
to do anything in beforeSave since xss doesn't affect the db.
echo $html->clean($someHtml); will remove malicious attempts, of
course it won't hurt to sanitize in the model on save (except that you
then have no record it was malicious in the first place).
hth,
AD
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
