Re: htmlpurifier sanitize form data
No, actually its not.
This approach should only be taken for HTML content going in when you are
providing WYSIWYG editors for the form inputs etc.
Otherwise, all normal text input posted should go into the DB without any
modification
Its a bad practice to filter those.
Simply use h() to secure the output upon display. Done.
mark
Am Montag, 11. August 2014 14:21:17 UTC+2 schrieb vbpupil:
>
> thanks Stephen
>
> ill keep playing but wasnt able to get it working using this method, ill
> keep reading the link you provided.
>
> Im wondering if this is the right way to go or save all user data and
> strip when i come to use the data. I know this is a little off topic but
> would be interested in hearing your thoughts?
>
> On Monday, August 11, 2014 12:31:29 PM UTC+1, Stephen S wrote:
>>
>> You could use array_walk to do this if you know the model name it'd be
>> easier http://php.net/manual/en/function.array-walk.php
>>
>> array_walk($this->request->data['Model'], '_purify')
>>
>>
>> On 11 August 2014 12:24, vbpupil wrote:
>>
>>> Not sure if anyone is familiar with this plugin? i have it installed and
>>> can sanaitize indiviual strings ie:
>>>
>>> $test = Purifier::clean('hi$( document
>>> ).ready(function() { alert("hacked!");});', 'general');
>>>
>>>
>>> which is working fine but i want to sanitize my form data ie:
>>>
>>>
>>> $this->request->data = Purifier::clean($this->request->data, 'general');
>>>
>>> which is failing because its an array (see below). Surely there must be
>>> an easier way to do this?
>>>
>>>
>>>
>>>
>>>
>>> preg_match() expects parameter 2 to be string, array given
>>> [*APP/Plugin/HtmlPurifier/Vendor/HtmlPurifier/library/HTMLPurifier/Lexer.php*,
>>> line *316*]
>>>
>>>
>>>
>>> --
>>> Like Us on FaceBook https://www.facebook.com/CakePHP
>>> Find us on Twitter http://twitter.com/CakePHP
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CakePHP" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cake-php+u...@googlegroups.com.
>>> To post to this group, send email to cake...@googlegroups.com.
>>> Visit this group at http://groups.google.com/group/cake-php.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>>
>>
>> --
>> Kind Regards
>> Stephen Speakman
>>
>
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cake-php+unsubscr...@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
Re: htmlpurifier sanitize form data
thanks Stephen
ill keep playing but wasnt able to get it working using this method, ill
keep reading the link you provided.
Im wondering if this is the right way to go or save all user data and strip
when i come to use the data. I know this is a little off topic but would be
interested in hearing your thoughts?
On Monday, August 11, 2014 12:31:29 PM UTC+1, Stephen S wrote:
>
> You could use array_walk to do this if you know the model name it'd be
> easier http://php.net/manual/en/function.array-walk.php
>
> array_walk($this->request->data['Model'], '_purify')
>
>
> On 11 August 2014 12:24, vbpupil > wrote:
>
>> Not sure if anyone is familiar with this plugin? i have it installed and
>> can sanaitize indiviual strings ie:
>>
>> $test = Purifier::clean('hi$( document ).ready(function()
>> { alert("hacked!");});', 'general');
>>
>>
>> which is working fine but i want to sanitize my form data ie:
>>
>>
>> $this->request->data = Purifier::clean($this->request->data, 'general');
>>
>> which is failing because its an array (see below). Surely there must be
>> an easier way to do this?
>>
>>
>>
>>
>>
>> preg_match() expects parameter 2 to be string, array given
>> [*APP/Plugin/HtmlPurifier/Vendor/HtmlPurifier/library/HTMLPurifier/Lexer.php*,
>> line *316*]
>>
>>
>>
>> --
>> Like Us on FaceBook https://www.facebook.com/CakePHP
>> Find us on Twitter http://twitter.com/CakePHP
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CakePHP" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cake-php+u...@googlegroups.com .
>> To post to this group, send email to cake...@googlegroups.com
>> .
>> Visit this group at http://groups.google.com/group/cake-php.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
>
> --
> Kind Regards
> Stephen Speakman
>
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cake-php+unsubscr...@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
Re: htmlpurifier sanitize form data
If you used that I bet you wouldn't run into the error above.
As it handles it in a more clean way.
Am Montag, 11. August 2014 14:19:34 UTC+2 schrieb vbpupil:
>
> Thanks Mark
>
> I wasnt able to find the solution there, unless im completely missing
> something.
>
>
> On Monday, August 11, 2014 12:43:48 PM UTC+1, euromark wrote:
>>
>> Maybe you want to use https://github.com/burzum/cakephp-html-purifier
>> instead.
>> Its also documented
>>
>> mark
>>
>>
>> Am Montag, 11. August 2014 13:24:27 UTC+2 schrieb vbpupil:
>>>
>>> Not sure if anyone is familiar with this plugin? i have it installed and
>>> can sanaitize indiviual strings ie:
>>>
>>> $test = Purifier::clean('hi$( document
>>> ).ready(function() { alert("hacked!");});', 'general');
>>>
>>>
>>> which is working fine but i want to sanitize my form data ie:
>>>
>>>
>>> $this->request->data = Purifier::clean($this->request->data, 'general');
>>>
>>> which is failing because its an array (see below). Surely there must be
>>> an easier way to do this?
>>>
>>>
>>>
>>>
>>>
>>> preg_match() expects parameter 2 to be string, array given
>>> [*APP/Plugin/HtmlPurifier/Vendor/HtmlPurifier/library/HTMLPurifier/Lexer.php*,
>>> line *316*]
>>>
>>>
>>>
>>>
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cake-php+unsubscr...@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
Re: htmlpurifier sanitize form data
Thanks Mark
I wasnt able to find the solution there, unless im completely missing
something.
On Monday, August 11, 2014 12:43:48 PM UTC+1, euromark wrote:
>
> Maybe you want to use https://github.com/burzum/cakephp-html-purifier
> instead.
> Its also documented
>
> mark
>
>
> Am Montag, 11. August 2014 13:24:27 UTC+2 schrieb vbpupil:
>>
>> Not sure if anyone is familiar with this plugin? i have it installed and
>> can sanaitize indiviual strings ie:
>>
>> $test = Purifier::clean('hi$( document ).ready(function()
>> { alert("hacked!");});', 'general');
>>
>>
>> which is working fine but i want to sanitize my form data ie:
>>
>>
>> $this->request->data = Purifier::clean($this->request->data, 'general');
>>
>> which is failing because its an array (see below). Surely there must be
>> an easier way to do this?
>>
>>
>>
>>
>>
>> preg_match() expects parameter 2 to be string, array given
>> [*APP/Plugin/HtmlPurifier/Vendor/HtmlPurifier/library/HTMLPurifier/Lexer.php*,
>> line *316*]
>>
>>
>>
>>
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cake-php+unsubscr...@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
Re: htmlpurifier sanitize form data
Maybe you want to use https://github.com/burzum/cakephp-html-purifier
instead.
Its also documented
mark
Am Montag, 11. August 2014 13:24:27 UTC+2 schrieb vbpupil:
>
> Not sure if anyone is familiar with this plugin? i have it installed and
> can sanaitize indiviual strings ie:
>
> $test = Purifier::clean('hi$( document ).ready(function()
> { alert("hacked!");});', 'general');
>
>
> which is working fine but i want to sanitize my form data ie:
>
>
> $this->request->data = Purifier::clean($this->request->data, 'general');
>
> which is failing because its an array (see below). Surely there must be an
> easier way to do this?
>
>
>
>
>
> preg_match() expects parameter 2 to be string, array given
> [*APP/Plugin/HtmlPurifier/Vendor/HtmlPurifier/library/HTMLPurifier/Lexer.php*,
> line *316*]
>
>
>
>
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cake-php+unsubscr...@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
Re: htmlpurifier sanitize form data
You could use array_walk to do this if you know the model name it'd be
easier http://php.net/manual/en/function.array-walk.php
array_walk($this->request->data['Model'], '_purify')
On 11 August 2014 12:24, vbpupil wrote:
> Not sure if anyone is familiar with this plugin? i have it installed and
> can sanaitize indiviual strings ie:
>
> $test = Purifier::clean('hi$( document ).ready(function()
> { alert("hacked!");});', 'general');
>
>
> which is working fine but i want to sanitize my form data ie:
>
>
> $this->request->data = Purifier::clean($this->request->data, 'general');
>
> which is failing because its an array (see below). Surely there must be an
> easier way to do this?
>
>
>
>
>
> preg_match() expects parameter 2 to be string, array given
> [*APP/Plugin/HtmlPurifier/Vendor/HtmlPurifier/library/HTMLPurifier/Lexer.php*,
> line *316*]
>
>
>
> --
> Like Us on FaceBook https://www.facebook.com/CakePHP
> Find us on Twitter http://twitter.com/CakePHP
>
> ---
> You received this message because you are subscribed to the Google Groups
> "CakePHP" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cake-php+unsubscr...@googlegroups.com.
> To post to this group, send email to cake-php@googlegroups.com.
> Visit this group at http://groups.google.com/group/cake-php.
> For more options, visit https://groups.google.com/d/optout.
>
--
Kind Regards
Stephen Speakman
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cake-php+unsubscr...@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
htmlpurifier sanitize form data
Not sure if anyone is familiar with this plugin? i have it installed and
can sanaitize indiviual strings ie:
$test = Purifier::clean('hi$( document ).ready(function() {
alert("hacked!");});', 'general');
which is working fine but i want to sanitize my form data ie:
$this->request->data = Purifier::clean($this->request->data, 'general');
which is failing because its an array (see below). Surely there must be an
easier way to do this?
preg_match() expects parameter 2 to be string, array given
[*APP/Plugin/HtmlPurifier/Vendor/HtmlPurifier/library/HTMLPurifier/Lexer.php*,
line *316*]
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cake-php+unsubscr...@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
Re: consoleShell & Sanitize class
I did panic a little when I saw that Sanitize was being deprecated. I use it in all my models before save to clean inputs of non-HTML data. I even extended the Sanitize class to use htmlspecialchars instead of htmlentities (have to preserve accented characters, etc.). Anyway I prefer to sanitize input before being saved as opposed to just using h() on output. For non HTML fields I think a viable alternative is to use the filter functions in PHP, for example: http://php.net/manual/en/function.filter-var.php For HTML input I use the HTML Purifier library as a vendor package and use a component to clean the input before saving in the controller. Just updated the Brita component that was posted long time ago in the Bakery: http://bakery.cakephp.org/articles/debuggeddesigns/2008/11/04/brita-component-with-html-purifier -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups "CakePHP" group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/groups/opt_out.
Re: consoleShell & Sanitize class
Sanitizing too harshly, or the way Sanitize was used in general, was usually a bad way of doing things. See https://github.com/cakephp/docs/pull/688/files for details Basically, you just need to always use h() in your output and you got everything you need. ConsoleShell does not need a replacement. Its kinda silly to use it when you can have a whole PHPUnit test suite at your disposal. Just write a simple test. Even if its just temporary. But if it's not this will also save you the trouble from retyping it again and again. It was an overhead to maintain this shell as nobody really ever uses it. Am Dienstag, 13. August 2013 12:31:45 UTC+2 schrieb Jason Bramley: > > Hi, > > I see from the 2.4.0-rc1 release notes that these two items are deprecated > and will be removed in 3.x > > Two questions come to mind: > > 1) Why? > 2) What are the recommended replacements? > > Thanks > Jason > -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups "CakePHP" group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/groups/opt_out.
consoleShell & Sanitize class
Hi, I see from the 2.4.0-rc1 release notes that these two items are deprecated and will be removed in 3.x Two questions come to mind: 1) Why? 2) What are the recommended replacements? Thanks Jason -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups "CakePHP" group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/groups/opt_out.
Re: Why Sanitize::stripTags not working in controller index() function;
sure^^ but based on the skill of this developer i guessed that he wanted to secure the result and thats not done by stripping tags either way his code is so bad/unclear that we cannot be sure of what he wants to achieve On 14 Dez., 22:57, Ryan Schmidt wrote: > On Dec 14, 2010, at 09:09, euromark wrote: > > > what you need is h() - in the view templates: > > > > > thats all you need to escape and secure your views. > > Yeah but that doesn't accomplish his stated goal: to remove the div tags that > are in the RSS data he's receiving: > > > > > > > > > From: Lord_JABA [mailto:lordj...@gmail.com] > > Sent: December-13-10 5:48 PM > > To: CakePHP > > Subject: Why Sanitize::stripTags not working in controller index() function; > > > I want to get rid of div tags in data from rss just before i send it > > to view. Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Why Sanitize::stripTags not working in controller index() function;
On Dec 14, 2010, at 09:09, euromark wrote: > what you need is h() - in the view templates: > > > thats all you need to escape and secure your views. Yeah but that doesn't accomplish his stated goal: to remove the div tags that are in the RSS data he's receiving: > From: Lord_JABA [mailto:lordj...@gmail.com] > Sent: December-13-10 5:48 PM > To: CakePHP > Subject: Why Sanitize::stripTags not working in controller index() function; > > I want to get rid of div tags in data from rss just before i send it > to view. Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Why Sanitize::stripTags not working in controller index() function;
why would you want to do that in the first place
despite the fact that every line of code in your snippet seems to be
wrong^^
what you need is h() - in the view templates:
thats all you need to escape and secure your views.
On 14 Dez., 07:08, "Dave Maharaj" wrote:
> Off the top of my head I do not think stripTags works over each element of
> an array like $this->data
>
> You would need to be specific to the key like
> $this->data['GoogleNews']['content'] or whatever field. Check out
> Sanitize::clean , that works thru the array of $this->data with 8 different
> options to apply to the data set.
>
> Dave
>
>
>
>
>
>
>
> -Original Message-
> From: Lord_JABA [mailto:lordj...@gmail.com]
> Sent: December-13-10 5:48 PM
> To: CakePHP
> Subject: Why Sanitize::stripTags not working in controller index() function;
>
> I want to get rid of div tags in data from rss just before i send it
> to view.
> I'm trying do this that way:
> function index(){
> $this->data=Sanitize::stripTags($this->data, 'div');
> $this->set('gnews', $this->paginate('GoogleNews') );
> }
> and that way:
> function index(){
> Sanitize::stripTags($this->data, 'div');
> $this->set('gnews', $this->paginate('GoogleNews') );
> }
> but I'm still getting:
> (...)HTC EVO 4G(...)
> from
>
> What mistake I'm making??
>
> Check out the new CakePHP Questions sitehttp://cakeqs.organd help others
> with their CakePHP related questions.
>
> You received this message because you are subscribed to the Google Groups
> "CakePHP" group.
> To post to this group, send email to cake-php@googlegroups.com
> To unsubscribe from this group, send email to
> cake-php+unsubscr...@googlegroups.com For more options, visit this group
> athttp://groups.google.com/group/cake-php?hl=en
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
RE: Why Sanitize::stripTags not working in controller index() function;
Off the top of my head I do not think stripTags works over each element of
an array like $this->data
You would need to be specific to the key like
$this->data['GoogleNews']['content'] or whatever field. Check out
Sanitize::clean , that works thru the array of $this->data with 8 different
options to apply to the data set.
Dave
-Original Message-
From: Lord_JABA [mailto:lordj...@gmail.com]
Sent: December-13-10 5:48 PM
To: CakePHP
Subject: Why Sanitize::stripTags not working in controller index() function;
I want to get rid of div tags in data from rss just before i send it
to view.
I'm trying do this that way:
function index(){
$this->data=Sanitize::stripTags($this->data, 'div');
$this->set('gnews', $this->paginate('GoogleNews') );
}
and that way:
function index(){
Sanitize::stripTags($this->data, 'div');
$this->set('gnews', $this->paginate('GoogleNews') );
}
but I'm still getting:
(...)HTC EVO 4G(...)
from
What mistake I'm making??
Check out the new CakePHP Questions site http://cakeqs.org and help others
with their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
Re: Why Sanitize::stripTags not working in controller index() function;
Hi,
I didn't get what you are trying to achieve here. You want sanitized data in
$gnews which is paginated list but you are sanitizing $this->data.
However, Sanitize::stripTags() needs first parameter as a string and as per
your description, $this->data seems to be an array.
Amit Badkas
PHP Applications for E-Biz: http://www.sanisoft.com
On Tue, Dec 14, 2010 at 2:47 AM, Lord_JABA wrote:
> I want to get rid of div tags in data from rss just before i send it
> to view.
> I'm trying do this that way:
> function index(){
> $this->data=Sanitize::stripTags($this->data, 'div');
>$this->set('gnews', $this->paginate('GoogleNews') );
>}
> and that way:
> function index(){
>Sanitize::stripTags($this->data, 'div');
>$this->set('gnews', $this->paginate('GoogleNews') );
>}
> but I'm still getting:
> (...)HTC EVO 4G(...)
> from
>
> What mistake I'm making??
>
> Check out the new CakePHP Questions site http://cakeqs.org and help others
> with their CakePHP related questions.
>
> You received this message because you are subscribed to the Google Groups
> "CakePHP" group.
> To post to this group, send email to cake-php@googlegroups.com
> To unsubscribe from this group, send email to
> cake-php+unsubscr...@googlegroups.comFor
> more options, visit this group at
> http://groups.google.com/group/cake-php?hl=en
>
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
Why Sanitize::stripTags not working in controller index() function;
I want to get rid of div tags in data from rss just before i send it
to view.
I'm trying do this that way:
function index(){
$this->data=Sanitize::stripTags($this->data, 'div');
$this->set('gnews', $this->paginate('GoogleNews') );
}
and that way:
function index(){
Sanitize::stripTags($this->data, 'div');
$this->set('gnews', $this->paginate('GoogleNews') );
}
but I'm still getting:
(...)HTC EVO 4G(...)
from
What mistake I'm making??
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
Re: HTML Purifier or Sanitize core library
Personally I use textile, as it has more syntax elements than markdown does. The API however uses markdown, and there is a markdown parser helper in the ApiGenerator plugin if you are looking for one. -Mark On Oct 6, 1:26 pm, Loic Duros wrote: > Thanks for all the answers -- > > Mark, do you use Markdown or textile at mark-story.com to write blog posts? > Just curious since it seems you have lots of HTML in there. > > Thanks again, > > Loic > > > > > > > > > > On Wed, Oct 6, 2010 at 1:16 PM, mark_story wrote: > > HTML purifier is miles better than the Sanitize. I would recommend > > escaping and using a text processor like markdown or textile. > > However, if you need to accept html from the unwashed masses, use > > HTMLPurifier. > > > -Mark > > > On Oct 4, 1:02 pm, Loic Duros wrote: > > > Hello, > > > > I'm currently building a blog with CakePHP, and I would like to > > > sanitize/filter my posts before they are displayed on screen to prevent > > > cross-site scripting. However, I would still like to allow for a great > > deal > > > of HTML markup and attributes in the HTML. I have tried using the > > Sanitize > > > Core Library but, as far as I know, it doesn't allow for filtering some > > tags > > > while keeping others. As a result, I'm looking into HTML Purifier ( > >http://htmlpurifier.org/) to do the job in my controller and/or view > > > template files. I found the following Brita Component in the Bakery: > >http://bakery.cakephp.org/articles/view/brita-component-with-html-pur... > > > > I wonder however if anyone has implemented such a filtering/sanitizing > > > solution for their site and if I'm missing something obvious I should be > > > using to secure my site on that end. > > > > Thank you, > > > > Loic > > > Check out the new CakePHP Questions sitehttp://cakeqs.organd help others > > with their CakePHP related questions. > > > You received this message because you are subscribed to the Google Groups > > "CakePHP" group. > > To post to this group, send email to cake-php@googlegroups.com > > To unsubscribe from this group, send email to > > cake-php+unsubscr...@googlegroups.com > om>For more options, visit this group at > >http://groups.google.com/group/cake-php?hl=en > > -- > Loic J. Duros -www.lduros.net Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: HTML Purifier or Sanitize core library
Thanks for all the answers -- Mark, do you use Markdown or textile at mark-story.com to write blog posts? Just curious since it seems you have lots of HTML in there. Thanks again, Loic On Wed, Oct 6, 2010 at 1:16 PM, mark_story wrote: > HTML purifier is miles better than the Sanitize. I would recommend > escaping and using a text processor like markdown or textile. > However, if you need to accept html from the unwashed masses, use > HTMLPurifier. > > -Mark > > On Oct 4, 1:02 pm, Loic Duros wrote: > > Hello, > > > > I'm currently building a blog with CakePHP, and I would like to > > sanitize/filter my posts before they are displayed on screen to prevent > > cross-site scripting. However, I would still like to allow for a great > deal > > of HTML markup and attributes in the HTML. I have tried using the > Sanitize > > Core Library but, as far as I know, it doesn't allow for filtering some > tags > > while keeping others. As a result, I'm looking into HTML Purifier ( > http://htmlpurifier.org/) to do the job in my controller and/or view > > template files. I found the following Brita Component in the Bakery: > http://bakery.cakephp.org/articles/view/brita-component-with-html-pur... > > > > I wonder however if anyone has implemented such a filtering/sanitizing > > solution for their site and if I'm missing something obvious I should be > > using to secure my site on that end. > > > > Thank you, > > > > Loic > > Check out the new CakePHP Questions site http://cakeqs.org and help others > with their CakePHP related questions. > > You received this message because you are subscribed to the Google Groups > "CakePHP" group. > To post to this group, send email to cake-php@googlegroups.com > To unsubscribe from this group, send email to > cake-php+unsubscr...@googlegroups.comFor > more options, visit this group at > http://groups.google.com/group/cake-php?hl=en > -- Loic J. Duros - www.lduros.net Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: HTML Purifier or Sanitize core library
HTML purifier is miles better than the Sanitize. I would recommend escaping and using a text processor like markdown or textile. However, if you need to accept html from the unwashed masses, use HTMLPurifier. -Mark On Oct 4, 1:02 pm, Loic Duros wrote: > Hello, > > I'm currently building a blog with CakePHP, and I would like to > sanitize/filter my posts before they are displayed on screen to prevent > cross-site scripting. However, I would still like to allow for a great deal > of HTML markup and attributes in the HTML. I have tried using the Sanitize > Core Library but, as far as I know, it doesn't allow for filtering some tags > while keeping others. As a result, I'm looking into HTML Purifier > (http://htmlpurifier.org/) to do the job in my controller and/or view > template files. I found the following Brita Component in the > Bakery:http://bakery.cakephp.org/articles/view/brita-component-with-html-pur... > > I wonder however if anyone has implemented such a filtering/sanitizing > solution for their site and if I'm missing something obvious I should be > using to secure my site on that end. > > Thank you, > > Loic Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: HTML Purifier or Sanitize core library
i like to use BBCODE (there are some wysiwyg editors for that as well) thats clean and does work really well with h() escaping - by the way it also allows the user to add lots of special tags (smileys, videos,...) out of the box (if wanted) On 5 Okt., 10:37, Maurits van der Schee wrote: > Hi, > > As I like thinking outside of the box i would recommend Textile and > Markdown: > > http://www.elated.com/articles/textile-markdown-nice-alternatives-to-... > > Regards > > Maurits > > On 10/04/2010 07:02 PM, Loic Duros wrote: > > > > > Hello, > > > I'm currently building a blog with CakePHP, and I would like to > > sanitize/filter my posts before they are displayed on screen to prevent > > cross-site scripting. However, I would still like to allow for a great > > deal of HTML markup and attributes in the HTML. I have tried using the > > Sanitize Core Library but, as far as I know, it doesn't allow for > > filtering some tags while keeping others. As a result, I'm looking into > > HTML Purifier (http://htmlpurifier.org/) to do the job in my controller > > and/or view template files. I found the following Brita Component in the > > Bakery: > >http://bakery.cakephp.org/articles/view/brita-component-with-html-pur... > > > I wonder however if anyone has implemented such a filtering/sanitizing > > solution for their site and if I'm missing something obvious I should be > > using to secure my site on that end. > > > Thank you, > > > Loic > > > Check out the new CakePHP Questions sitehttp://cakeqs.organd help > > others with their CakePHP related questions. > > > You received this message because you are subscribed to the Google > > Groups "CakePHP" group. > > To post to this group, send email to > > cake-php@googlegroups.com > > To unsubscribe from this group, send email to > > cake-php+unsubscr...@googlegroups.com For more > > options, visit this group athttp://groups.google.com/group/cake-php?hl=en Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: HTML Purifier or Sanitize core library
Hi, As I like thinking outside of the box i would recommend Textile and Markdown: http://www.elated.com/articles/textile-markdown-nice-alternatives-to-wysiwyg-editors/ Regards, Maurits On 10/04/2010 07:02 PM, Loic Duros wrote: Hello, I'm currently building a blog with CakePHP, and I would like to sanitize/filter my posts before they are displayed on screen to prevent cross-site scripting. However, I would still like to allow for a great deal of HTML markup and attributes in the HTML. I have tried using the Sanitize Core Library but, as far as I know, it doesn't allow for filtering some tags while keeping others. As a result, I'm looking into HTML Purifier (http://htmlpurifier.org/) to do the job in my controller and/or view template files. I found the following Brita Component in the Bakery: http://bakery.cakephp.org/articles/view/brita-component-with-html-purifier I wonder however if anyone has implemented such a filtering/sanitizing solution for their site and if I'm missing something obvious I should be using to secure my site on that end. Thank you, Loic Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: HTML Purifier or Sanitize core library
Don't know about that component. We implemented behavior that repair and sanitize user HTML with HTML Purifier library before save to DB. In this case expensive purifing is done only once, on save, instead of every time, on view. On 5 окт, 00:02, Loic Duros wrote: > Hello, > > I'm currently building a blog with CakePHP, and I would like to > sanitize/filter my posts before they are displayed on screen to prevent > cross-site scripting. However, I would still like to allow for a great deal > of HTML markup and attributes in the HTML. I have tried using the Sanitize > Core Library but, as far as I know, it doesn't allow for filtering some tags > while keeping others. As a result, I'm looking into HTML Purifier > (http://htmlpurifier.org/) to do the job in my controller and/or view > template files. I found the following Brita Component in the > Bakery:http://bakery.cakephp.org/articles/view/brita-component-with-html-pur... > > I wonder however if anyone has implemented such a filtering/sanitizing > solution for their site and if I'm missing something obvious I should be > using to secure my site on that end. > > Thank you, > > Loic Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: HTML Purifier or Sanitize core library
overhead see similar posts for this matter simply use h() to make sure, xss cannot harm your site On 4 Okt., 19:02, Loic Duros wrote: > Hello, > > I'm currently building a blog with CakePHP, and I would like to > sanitize/filter my posts before they are displayed on screen to prevent > cross-site scripting. However, I would still like to allow for a great deal > of HTML markup and attributes in the HTML. I have tried using the Sanitize > Core Library but, as far as I know, it doesn't allow for filtering some tags > while keeping others. As a result, I'm looking into HTML Purifier > (http://htmlpurifier.org/) to do the job in my controller and/or view > template files. I found the following Brita Component in the > Bakery:http://bakery.cakephp.org/articles/view/brita-component-with-html-pur... > > I wonder however if anyone has implemented such a filtering/sanitizing > solution for their site and if I'm missing something obvious I should be > using to secure my site on that end. > > Thank you, > > Loic Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
HTML Purifier or Sanitize core library
Hello, I'm currently building a blog with CakePHP, and I would like to sanitize/filter my posts before they are displayed on screen to prevent cross-site scripting. However, I would still like to allow for a great deal of HTML markup and attributes in the HTML. I have tried using the Sanitize Core Library but, as far as I know, it doesn't allow for filtering some tags while keeping others. As a result, I'm looking into HTML Purifier ( http://htmlpurifier.org/) to do the job in my controller and/or view template files. I found the following Brita Component in the Bakery: http://bakery.cakephp.org/articles/view/brita-component-with-html-purifier I wonder however if anyone has implemented such a filtering/sanitizing solution for their site and if I'm missing something obvious I should be using to secure my site on that end. Thank you, Loic Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Do I need to use sanitize?
this one will never be deprecated! :) mainly because of the auto-setting of app encoding other conv. functions simply did the same as the original function therefore it was nonsense to use them in the first place On 30 Sep., 19:46, "j.blotus" wrote: > I would be careful about using h() instead of htmlspecialchars() it > seems the core guys keep deprecating convenience functions such as a() > > On Sep 30, 1:14 pm, euromark wrote: > > > > > usually do not clean if after getting it from the DB > > you simply h() encode it. thats a difference. > > > i depends on the model data > > but if were are in a Comment model and all kinds of comments got > > screwed up > > because the developer was too eager to sanitize every crappy post > > that would piss me off as user. > > > so especially for aesthetic reasons you are better off leaving the > > post as it is > > if somebody wants to post crap, you can filter all you want, the > > result will still be crap. > > and it will still need to be deleted manually afterwards. > > and all other posts are usally genuine and should be posted as the > > poster intended to. > > of course with h() to ensure nothing happens. but here we go. no > > addiotional work done, no problems. > > > On 30 Sep., 18:06, "Dave Maharaj" wrote: > > > > Just jumping in here for my opinion, not advise. > > > > I have seen this question many times, asked it myself along the way and I > > > guess the question asked includes the word "need". And as Dr. Loboto > > > pointed > > > out, you do not need to. But I would like to my 2 cents and even though > > > you > > > may not need to, I personally think of many reasons to do so. For me > > > appearance is key, the last thing I want to see is what appears to be code > > > entered blocks user submitted data. I do not want someone entering > > echo 'hello'?> as their first name and having that displayed to users. > > > If someone is entering crap info into forms to be a pain in my ass I make > > > it > > > a pain in their ass to try to enter it and make it validate. The only > > > reason > > > someone would enter code or malicious code into would be to try to cause > > > havoc. If they want to try to enter js snips, html blocks with inline > > > attributes go right ahead, I strip it all out beforeValidate(), my own > > > made > > > cleaning functions for specific area of user input. If it takes someone 20 > > > attempts to enter their first name because they wrapping it in code, using > > > numbers or symbols then that’s just too bad because they obviously know > > > what > > > they are doing they should not be doing. I say 99% would just enter their > > > name as they should. For that 1% of idiots, I would rather not have them > > > use > > > the site so if its hard on them well then too bad. > > > > Others point out simply let the und users put in what ever they want and > > > clean out all the unwanted stuff once its pulled from the db and displayed > > > to the user. I ask why? Why would you want to have mass amounts of junk > > > code > > > saved in the db only to clean it every time its pulled? Would it not be > > > better off to clean it once and then never worry about it again (until > > > next > > > save). > > > > So I guess every app has its own unique issues for this question, maybe > > > you > > > do not need to like you asked in the question but for me I think even > > > though > > > it may not be "needed" for security reasons it certainly is for aesthetic > > > reasons. > > > > Dave > > > > -Original Message- > > > From: WhyNotSmile [mailto:sharongilmor...@gmail.com] > > > Sent: September-30-10 1:10 PM > > > To: CakePHP > > > Subject: Re: Do I need to use sanitize? > > > > Thanks. > > > > I'm just sending plain text emails, so that should be fine. > > > > Sharon > > > > On 30 Sep, 06:04, "Dr. Loboto" wrote: > > > > I personally never user Sanitize as don't want to break user-entered > > > > data. Instead of it I use h() to escape all text on HTML output. On > > > > save to database also nothing needed as Cake properly escape data > > > > itself. So if you send HTML emails you need just escape user-entered > > > > text and that's all. > > > > > On Sep 29, 11:43 pm
Re: Do I need to use sanitize?
I would be careful about using h() instead of htmlspecialchars() it seems the core guys keep deprecating convenience functions such as a() On Sep 30, 1:14 pm, euromark wrote: > usually do not clean if after getting it from the DB > you simply h() encode it. thats a difference. > > i depends on the model data > but if were are in a Comment model and all kinds of comments got > screwed up > because the developer was too eager to sanitize every crappy post > that would piss me off as user. > > so especially for aesthetic reasons you are better off leaving the > post as it is > if somebody wants to post crap, you can filter all you want, the > result will still be crap. > and it will still need to be deleted manually afterwards. > and all other posts are usally genuine and should be posted as the > poster intended to. > of course with h() to ensure nothing happens. but here we go. no > addiotional work done, no problems. > > On 30 Sep., 18:06, "Dave Maharaj" wrote: > > > > > Just jumping in here for my opinion, not advise. > > > I have seen this question many times, asked it myself along the way and I > > guess the question asked includes the word "need". And as Dr. Loboto pointed > > out, you do not need to. But I would like to my 2 cents and even though you > > may not need to, I personally think of many reasons to do so. For me > > appearance is key, the last thing I want to see is what appears to be code > > entered blocks user submitted data. I do not want someone entering > echo 'hello'?> as their first name and having that displayed to users. > > If someone is entering crap info into forms to be a pain in my ass I make it > > a pain in their ass to try to enter it and make it validate. The only reason > > someone would enter code or malicious code into would be to try to cause > > havoc. If they want to try to enter js snips, html blocks with inline > > attributes go right ahead, I strip it all out beforeValidate(), my own made > > cleaning functions for specific area of user input. If it takes someone 20 > > attempts to enter their first name because they wrapping it in code, using > > numbers or symbols then that’s just too bad because they obviously know what > > they are doing they should not be doing. I say 99% would just enter their > > name as they should. For that 1% of idiots, I would rather not have them use > > the site so if its hard on them well then too bad. > > > Others point out simply let the und users put in what ever they want and > > clean out all the unwanted stuff once its pulled from the db and displayed > > to the user. I ask why? Why would you want to have mass amounts of junk code > > saved in the db only to clean it every time its pulled? Would it not be > > better off to clean it once and then never worry about it again (until next > > save). > > > So I guess every app has its own unique issues for this question, maybe you > > do not need to like you asked in the question but for me I think even though > > it may not be "needed" for security reasons it certainly is for aesthetic > > reasons. > > > Dave > > > -Original Message- > > From: WhyNotSmile [mailto:sharongilmor...@gmail.com] > > Sent: September-30-10 1:10 PM > > To: CakePHP > > Subject: Re: Do I need to use sanitize? > > > Thanks. > > > I'm just sending plain text emails, so that should be fine. > > > Sharon > > > On 30 Sep, 06:04, "Dr. Loboto" wrote: > > > I personally never user Sanitize as don't want to break user-entered > > > data. Instead of it I use h() to escape all text on HTML output. On > > > save to database also nothing needed as Cake properly escape data > > > itself. So if you send HTML emails you need just escape user-entered > > > text and that's all. > > > > On Sep 29, 11:43 pm, WhyNotSmile wrote: > > > > > I'm creating a website which has a few forms, and wondering whether I > > > > need to use Sanitize for those. In each case, there are a few text > > > > boxes which accept input from visitors; that information gets emailed > > > > to a central address. Nothing is stored in the database. > > > > > Do I need to use sanitize for that, or is it mainly for times when the > > > > form data is going into the database? > > > > > I also wasn't completely clear on the documentation about sanitize - > > > > it says Cake automatically uses it for saving and reading, but does > > > > that include 'find' functions,
Re: Do I need to use sanitize?
usually do not clean if after getting it from the DB
you simply h() encode it. thats a difference.
i depends on the model data
but if were are in a Comment model and all kinds of comments got
screwed up
because the developer was too eager to sanitize every crappy post
that would piss me off as user.
so especially for aesthetic reasons you are better off leaving the
post as it is
if somebody wants to post crap, you can filter all you want, the
result will still be crap.
and it will still need to be deleted manually afterwards.
and all other posts are usally genuine and should be posted as the
poster intended to.
of course with h() to ensure nothing happens. but here we go. no
addiotional work done, no problems.
On 30 Sep., 18:06, "Dave Maharaj" wrote:
> Just jumping in here for my opinion, not advise.
>
> I have seen this question many times, asked it myself along the way and I
> guess the question asked includes the word "need". And as Dr. Loboto pointed
> out, you do not need to. But I would like to my 2 cents and even though you
> may not need to, I personally think of many reasons to do so. For me
> appearance is key, the last thing I want to see is what appears to be code
> entered blocks user submitted data. I do not want someone entering echo 'hello'?> as their first name and having that displayed to users.
> If someone is entering crap info into forms to be a pain in my ass I make it
> a pain in their ass to try to enter it and make it validate. The only reason
> someone would enter code or malicious code into would be to try to cause
> havoc. If they want to try to enter js snips, html blocks with inline
> attributes go right ahead, I strip it all out beforeValidate(), my own made
> cleaning functions for specific area of user input. If it takes someone 20
> attempts to enter their first name because they wrapping it in code, using
> numbers or symbols then that’s just too bad because they obviously know what
> they are doing they should not be doing. I say 99% would just enter their
> name as they should. For that 1% of idiots, I would rather not have them use
> the site so if its hard on them well then too bad.
>
> Others point out simply let the und users put in what ever they want and
> clean out all the unwanted stuff once its pulled from the db and displayed
> to the user. I ask why? Why would you want to have mass amounts of junk code
> saved in the db only to clean it every time its pulled? Would it not be
> better off to clean it once and then never worry about it again (until next
> save).
>
> So I guess every app has its own unique issues for this question, maybe you
> do not need to like you asked in the question but for me I think even though
> it may not be "needed" for security reasons it certainly is for aesthetic
> reasons.
>
> Dave
>
> -Original Message-
> From: WhyNotSmile [mailto:sharongilmor...@gmail.com]
> Sent: September-30-10 1:10 PM
> To: CakePHP
> Subject: Re: Do I need to use sanitize?
>
> Thanks.
>
> I'm just sending plain text emails, so that should be fine.
>
> Sharon
>
> On 30 Sep, 06:04, "Dr. Loboto" wrote:
> > I personally never user Sanitize as don't want to break user-entered
> > data. Instead of it I use h() to escape all text on HTML output. On
> > save to database also nothing needed as Cake properly escape data
> > itself. So if you send HTML emails you need just escape user-entered
> > text and that's all.
>
> > On Sep 29, 11:43 pm, WhyNotSmile wrote:
>
> > > I'm creating a website which has a few forms, and wondering whether I
> > > need to use Sanitize for those. In each case, there are a few text
> > > boxes which accept input from visitors; that information gets emailed
> > > to a central address. Nothing is stored in the database.
>
> > > Do I need to use sanitize for that, or is it mainly for times when the
> > > form data is going into the database?
>
> > > I also wasn't completely clear on the documentation about sanitize -
> > > it says Cake automatically uses it for saving and reading, but does
> > > that include 'find' functions, and do I have to include
> > > App::import('Sanitize'); to make it work (i.e. it's automatic once
> > > it's included)?
>
> > > Thanks!
>
> Check out the new CakePHP Questions sitehttp://cakeqs.organd help others
> with their CakePHP related questions.
>
> You received this message because you are subscribed to the Google Groups
> "CakePHP" group.
> To post to this group, send email to cake-php@googlegroups.com
> To unsubscribe from this group, send email to
> cake
RE: Do I need to use sanitize?
Just jumping in here for my opinion, not advise.
I have seen this question many times, asked it myself along the way and I
guess the question asked includes the word "need". And as Dr. Loboto pointed
out, you do not need to. But I would like to my 2 cents and even though you
may not need to, I personally think of many reasons to do so. For me
appearance is key, the last thing I want to see is what appears to be code
entered blocks user submitted data. I do not want someone entering as their first name and having that displayed to users.
If someone is entering crap info into forms to be a pain in my ass I make it
a pain in their ass to try to enter it and make it validate. The only reason
someone would enter code or malicious code into would be to try to cause
havoc. If they want to try to enter js snips, html blocks with inline
attributes go right ahead, I strip it all out beforeValidate(), my own made
cleaning functions for specific area of user input. If it takes someone 20
attempts to enter their first name because they wrapping it in code, using
numbers or symbols then that’s just too bad because they obviously know what
they are doing they should not be doing. I say 99% would just enter their
name as they should. For that 1% of idiots, I would rather not have them use
the site so if its hard on them well then too bad.
Others point out simply let the und users put in what ever they want and
clean out all the unwanted stuff once its pulled from the db and displayed
to the user. I ask why? Why would you want to have mass amounts of junk code
saved in the db only to clean it every time its pulled? Would it not be
better off to clean it once and then never worry about it again (until next
save).
So I guess every app has its own unique issues for this question, maybe you
do not need to like you asked in the question but for me I think even though
it may not be "needed" for security reasons it certainly is for aesthetic
reasons.
Dave
-Original Message-
From: WhyNotSmile [mailto:sharongilmor...@gmail.com]
Sent: September-30-10 1:10 PM
To: CakePHP
Subject: Re: Do I need to use sanitize?
Thanks.
I'm just sending plain text emails, so that should be fine.
Sharon
On 30 Sep, 06:04, "Dr. Loboto" wrote:
> I personally never user Sanitize as don't want to break user-entered
> data. Instead of it I use h() to escape all text on HTML output. On
> save to database also nothing needed as Cake properly escape data
> itself. So if you send HTML emails you need just escape user-entered
> text and that's all.
>
> On Sep 29, 11:43 pm, WhyNotSmile wrote:
>
> > I'm creating a website which has a few forms, and wondering whether I
> > need to use Sanitize for those. In each case, there are a few text
> > boxes which accept input from visitors; that information gets emailed
> > to a central address. Nothing is stored in the database.
>
> > Do I need to use sanitize for that, or is it mainly for times when the
> > form data is going into the database?
>
> > I also wasn't completely clear on the documentation about sanitize -
> > it says Cake automatically uses it for saving and reading, but does
> > that include 'find' functions, and do I have to include
> > App::import('Sanitize'); to make it work (i.e. it's automatic once
> > it's included)?
>
> > Thanks!
Check out the new CakePHP Questions site http://cakeqs.org and help others
with their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
Re: Do I need to use sanitize?
Thanks.
I'm just sending plain text emails, so that should be fine.
Sharon
On 30 Sep, 06:04, "Dr. Loboto" wrote:
> I personally never user Sanitize as don't want to break user-entered
> data. Instead of it I use h() to escape all text on HTML output. On
> save to database also nothing needed as Cake properly escape data
> itself. So if you send HTML emails you need just escape user-entered
> text and that's all.
>
> On Sep 29, 11:43 pm, WhyNotSmile wrote:
>
> > I'm creating a website which has a few forms, and wondering whether I
> > need to use Sanitize for those. In each case, there are a few text
> > boxes which accept input from visitors; that information gets emailed
> > to a central address. Nothing is stored in the database.
>
> > Do I need to use sanitize for that, or is it mainly for times when the
> > form data is going into the database?
>
> > I also wasn't completely clear on the documentation about sanitize -
> > it says Cake automatically uses it for saving and reading, but does
> > that include 'find' functions, and do I have to include
> > App::import('Sanitize'); to make it work (i.e. it's automatic once
> > it's included)?
>
> > Thanks!
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
Re: Do I need to use sanitize?
I personally never user Sanitize as don't want to break user-entered
data. Instead of it I use h() to escape all text on HTML output. On
save to database also nothing needed as Cake properly escape data
itself. So if you send HTML emails you need just escape user-entered
text and that's all.
On Sep 29, 11:43 pm, WhyNotSmile wrote:
> I'm creating a website which has a few forms, and wondering whether I
> need to use Sanitize for those. In each case, there are a few text
> boxes which accept input from visitors; that information gets emailed
> to a central address. Nothing is stored in the database.
>
> Do I need to use sanitize for that, or is it mainly for times when the
> form data is going into the database?
>
> I also wasn't completely clear on the documentation about sanitize -
> it says Cake automatically uses it for saving and reading, but does
> that include 'find' functions, and do I have to include
> App::import('Sanitize'); to make it work (i.e. it's automatic once
> it's included)?
>
> Thanks!
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
Do I need to use sanitize?
I'm creating a website which has a few forms, and wondering whether I
need to use Sanitize for those. In each case, there are a few text
boxes which accept input from visitors; that information gets emailed
to a central address. Nothing is stored in the database.
Do I need to use sanitize for that, or is it mainly for times when the
form data is going into the database?
I also wasn't completely clear on the documentation about sanitize -
it says Cake automatically uses it for saving and reading, but does
that include 'find' functions, and do I have to include
App::import('Sanitize'); to make it work (i.e. it's automatic once
it's included)?
Thanks!
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
Re: Sanitize::clean breaking file uploads
Posting my solution.
function edit($id = null)
{
[...]
if (!empty($this->data))
{
$img = $this->data['Model']['image']; // save file
upload array into a variable before sanitizing
$this->data = Sanitize::clean($this->data); // perform
sanitization
if ($this->Model->save($this->data))
{
// clean data has now been saved.
// file upload logic, using the array we saved before
if (!is_uploaded_file($img['tmp_name']))
{
[...] // etc etc
}
}
}
}
No problems encountered using this approach.
On May 20, 9:38 am, Michele Ferri wrote:
> The file uploads are working fine without Sanitize::clean(). The only
> solution I see is to handle the file validation/copy logic before
> executing the sanitization. I'm puzzled.
> Maybe I should mention that I'm running on my local windows machine
> using XAMPP. But all the php.ini upload-related variables are set...
>
> On May 19, 8:00 pm, calvin wrote:
>
>
>
> > Were the file uploads working before you used Sanitize::clean? Because
> > cake doesn't handle file uploads automatically. Aside from having to
> > set array('type'=>'file') in your $form->create() statement, you also
> > need to move/save the uploaded file yourself.
>
> > Unless you're manually moving the file, either to a permanent upload
> > directory or into a database or something, the web server (and cake)
> > has no way of knowing what you want to do with the file. It'll just
> > sit in the temp directory until the script terminates, at which point
> > the file will be deleted.
>
> > On May 19, 3:37 am, Michele Ferri wrote:
>
> > > Hello.
>
> > > I'm using Sanitize::clean for cleaning the $this->data arrays in the
> > > controllers before saving them to the db.
>
> > > example
> > > if (!empty($this->data))
> > > {
> > > $this->data = Sanitize::clean($this->data);
> > > [...]
>
> > > }
>
> > > The problem is that if a form contains a file input, the file is not
> > > uploaded. The file array is correctly populated after the post (with
> > > tmp_name and everything), but the physical file is not present in the
> > > upload folder.
>
> > > Is there any workaround for this?
>
> > > Check out the new CakePHP Questions sitehttp://cakeqs.organdhelpothers
> > > with their CakePHP related questions.
>
> > > You received this message because you are subscribed to the Google Groups
> > > "CakePHP" group.
> > > To post to this group, send email to cake-php@googlegroups.com
> > > To unsubscribe from this group, send email to
> > > cake-php+unsubscr...@googlegroups.com For more options, visit this group
> > > athttp://groups.google.com/group/cake-php?hl=en
>
> > Check out the new CakePHP Questions sitehttp://cakeqs.organdhelp others
> > with their CakePHP related questions.
>
> > You received this message because you are subscribed to the Google Groups
> > "CakePHP" group.
> > To post to this group, send email to cake-php@googlegroups.com
> > To unsubscribe from this group, send email to
> > cake-php+unsubscr...@googlegroups.com For more options, visit this group
> > athttp://groups.google.com/group/cake-php?hl=en
>
> Check out the new CakePHP Questions sitehttp://cakeqs.organd help others with
> their CakePHP related questions.
>
> You received this message because you are subscribed to the Google Groups
> "CakePHP" group.
> To post to this group, send email to cake-php@googlegroups.com
> To unsubscribe from this group, send email to
> cake-php+unsubscr...@googlegroups.com For more options, visit this group
> athttp://groups.google.com/group/cake-php?hl=en
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
Re: Sanitize::clean breaking file uploads
The file uploads are working fine without Sanitize::clean(). The only
solution I see is to handle the file validation/copy logic before
executing the sanitization. I'm puzzled.
Maybe I should mention that I'm running on my local windows machine
using XAMPP. But all the php.ini upload-related variables are set...
On May 19, 8:00 pm, calvin wrote:
> Were the file uploads working before you used Sanitize::clean? Because
> cake doesn't handle file uploads automatically. Aside from having to
> set array('type'=>'file') in your $form->create() statement, you also
> need to move/save the uploaded file yourself.
>
> Unless you're manually moving the file, either to a permanent upload
> directory or into a database or something, the web server (and cake)
> has no way of knowing what you want to do with the file. It'll just
> sit in the temp directory until the script terminates, at which point
> the file will be deleted.
>
> On May 19, 3:37 am, Michele Ferri wrote:
>
>
>
> > Hello.
>
> > I'm using Sanitize::clean for cleaning the $this->data arrays in the
> > controllers before saving them to the db.
>
> > example
> > if (!empty($this->data))
> > {
> > $this->data = Sanitize::clean($this->data);
> > [...]
>
> > }
>
> > The problem is that if a form contains a file input, the file is not
> > uploaded. The file array is correctly populated after the post (with
> > tmp_name and everything), but the physical file is not present in the
> > upload folder.
>
> > Is there any workaround for this?
>
> > Check out the new CakePHP Questions sitehttp://cakeqs.organdhelp others
> > with their CakePHP related questions.
>
> > You received this message because you are subscribed to the Google Groups
> > "CakePHP" group.
> > To post to this group, send email to cake-php@googlegroups.com
> > To unsubscribe from this group, send email to
> > cake-php+unsubscr...@googlegroups.com For more options, visit this group
> > athttp://groups.google.com/group/cake-php?hl=en
>
> Check out the new CakePHP Questions sitehttp://cakeqs.organd help others with
> their CakePHP related questions.
>
> You received this message because you are subscribed to the Google Groups
> "CakePHP" group.
> To post to this group, send email to cake-php@googlegroups.com
> To unsubscribe from this group, send email to
> cake-php+unsubscr...@googlegroups.com For more options, visit this group
> athttp://groups.google.com/group/cake-php?hl=en
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
Re: Sanitize::clean breaking file uploads
Were the file uploads working before you used Sanitize::clean? Because
cake doesn't handle file uploads automatically. Aside from having to
set array('type'=>'file') in your $form->create() statement, you also
need to move/save the uploaded file yourself.
Unless you're manually moving the file, either to a permanent upload
directory or into a database or something, the web server (and cake)
has no way of knowing what you want to do with the file. It'll just
sit in the temp directory until the script terminates, at which point
the file will be deleted.
On May 19, 3:37 am, Michele Ferri wrote:
> Hello.
>
> I'm using Sanitize::clean for cleaning the $this->data arrays in the
> controllers before saving them to the db.
>
> example
> if (!empty($this->data))
> {
> $this->data = Sanitize::clean($this->data);
> [...]
>
> }
>
> The problem is that if a form contains a file input, the file is not
> uploaded. The file array is correctly populated after the post (with
> tmp_name and everything), but the physical file is not present in the
> upload folder.
>
> Is there any workaround for this?
>
> Check out the new CakePHP Questions sitehttp://cakeqs.organd help others with
> their CakePHP related questions.
>
> You received this message because you are subscribed to the Google Groups
> "CakePHP" group.
> To post to this group, send email to cake-php@googlegroups.com
> To unsubscribe from this group, send email to
> cake-php+unsubscr...@googlegroups.com For more options, visit this group
> athttp://groups.google.com/group/cake-php?hl=en
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
Sanitize::clean breaking file uploads
Hello.
I'm using Sanitize::clean for cleaning the $this->data arrays in the
controllers before saving them to the db.
example
if (!empty($this->data))
{
$this->data = Sanitize::clean($this->data);
[...]
}
The problem is that if a form contains a file input, the file is not
uploaded. The file array is correctly populated after the post (with
tmp_name and everything), but the physical file is not present in the
upload folder.
Is there any workaround for this?
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
Re: sanitize and redirect
Thanks. If I get the principle right, there are two moments where
sanitizing must take place:
- before sending parameters in custom queries
- before output in the views with h()
,n
Le Jeu 11 février 2010 19:48, anl hp a écrit :
> Not you don't ... because you should not worry about that, if an id is
> invalid and you want handle the situation elegant, you could do something
> like this:
> if (!is_numeric($id)) {
> $this->setFlash('ooopss, dont do that!');
> $this->redirect();
> }
>
>
> anl
>
>
> On Thu, Feb 11, 2010 at 7:05 PM, Nicolas Maleve
> wrote:
>
>> Hello,
>>
>> Just a doubt. It looks like Cake takes care of sanitizing data in save
>> and
>> find, ie. Do I need to sanitize $id when using
>> $this->redirect(array('action'=>'edit','id'=>$id)); Or is there some
>> cleaning happening inside redirect?
>>
>> Thanks
>>
>> nicolas
>>
>>
>> *
>>*
>> *
>> *
>> *
>> *
>> *
>> *
>> *
>> C O N S T A N T
>> V Z W
>>
>>
>>
>>
>> Check out the new CakePHP Questions site http://cakeqs.org and help
>> others
>> with their CakePHP related questions.
>>
>> You received this message because you are subscribed to the Google
>> Groups
>> "CakePHP" group.
>> To post to this group, send email to cake-php@googlegroups.com
>> To unsubscribe from this group, send email to
>> cake-php+unsubscr...@googlegroups.comFor
>> more options, visit this group at
>> http://groups.google.com/group/cake-php?hl=en
>>
>
> Check out the new CakePHP Questions site http://cakeqs.org and help others
> with their CakePHP related questions.
>
> You received this message because you are subscribed to the Google Groups
> "CakePHP" group.
> To post to this group, send email to cake-php@googlegroups.com
> To unsubscribe from this group, send email to
> cake-php+unsubscr...@googlegroups.com For more options, visit this group
> at http://groups.google.com/group/cake-php?hl=en
>
*
*
*
*
*
*
*
*
*
C O N S T A N T
V Z W
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
Re: sanitize and redirect
Not you don't ... because you should not worry about that, if an id is
invalid and you want handle the situation elegant, you could do something
like this:
if (!is_numeric($id)) {
$this->setFlash('ooopss, dont do that!');
$this->redirect();
}
anl
On Thu, Feb 11, 2010 at 7:05 PM, Nicolas Maleve wrote:
> Hello,
>
> Just a doubt. It looks like Cake takes care of sanitizing data in save and
> find, ie. Do I need to sanitize $id when using
> $this->redirect(array('action'=>'edit','id'=>$id)); Or is there some
> cleaning happening inside redirect?
>
> Thanks
>
> nicolas
>
>
> *
>*
> *
> *
> *
> *
> *
> *
> *
> C O N S T A N T
> V Z W
>
>
>
>
> Check out the new CakePHP Questions site http://cakeqs.org and help others
> with their CakePHP related questions.
>
> You received this message because you are subscribed to the Google Groups
> "CakePHP" group.
> To post to this group, send email to cake-php@googlegroups.com
> To unsubscribe from this group, send email to
> cake-php+unsubscr...@googlegroups.comFor
> more options, visit this group at
> http://groups.google.com/group/cake-php?hl=en
>
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
sanitize and redirect
Hello,
Just a doubt. It looks like Cake takes care of sanitizing data in save and
find, ie. Do I need to sanitize $id when using
$this->redirect(array('action'=>'edit','id'=>$id)); Or is there some
cleaning happening inside redirect?
Thanks
nicolas
*
*
*
*
*
*
*
*
*
C O N S T A N T
V Z W
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
Re: Another sanitize Question
why would you even bother trying to find that out? as long as you use h() you dont need to worry about those users they cant do anything if you still want to find that out you would need to check the post data match them against "known" hazard-strings but this is time-consuming and very hard to check on anyway so if i was you i'd drop this idea On 4 Jan., 19:16, "Dave" wrote: > I have asked various questions about data sanitization and I came across > teknoids blog post about the same subject > > read it here:http://teknoid.wordpress.com/2009/08/06/save-now-sanitize-later/ > > I did get the same answer from fellow bakers "no need to sanitize, use h() > and see users trying to do stuff they should not be doing". > > My only question is how do you track users who are attempting to add scripts > or what not? If you have a site with say 2000 users making changes everyday > how do you possibly monitor each edit? How do you find these users other > than going thru everything daily / hourly? Just wondering how would you find > such a user easily in endless list of possible users? > > Thanks, > > Dave Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Another sanitize Question
I have asked various questions about data sanitization and I came across teknoids blog post about the same subject read it here: http://teknoid.wordpress.com/2009/08/06/save-now-sanitize-later/ I did get the same answer from fellow bakers "no need to sanitize, use h() and see users trying to do stuff they should not be doing". My only question is how do you track users who are attempting to add scripts or what not? If you have a site with say 2000 users making changes everyday how do you possibly monitor each edit? How do you find these users other than going thru everything daily / hourly? Just wondering how would you find such a user easily in endless list of possible users? Thanks, Dave Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
sanitize::clean
Is there a way to not clean specific keys in an array? My id has '-' in it so I would like to not clean specific keys of the array. Dave Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: To Sanitize or not? :: Public Opinion
CakePHP already makes any user input save in save functions (with the exception of updateAll). My general rule of thumb, is not to filter user input on save, but on display. This way you can see which users are trying malicious code and take action accordingly. On Nov 23, 1:12 am, robustsolution wrote: > you may sanitize somtimes, but you should always validate inputs > (forms... urls http requests) -- You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-...@googlegroups.com. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/cake-php?hl=.
Re: To Sanitize or not? :: Public Opinion
you may sanitize somtimes, but you should always validate inputs (forms... urls http requests) -- You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-...@googlegroups.com. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/cake-php?hl=.
Re: To Sanitize or not? :: Public Opinion
The big problem really is accepting input and displaying it without encoding or stripping the html. If you want to accept html, you need to strip out all javascript, intrinsic events, and even scripts hidden in styles. For the most part Cake will construct the SQL queries in a protected manner. You will also want to scan for Base64 encoded data as people are hiding their scripts in there too. Erik Nedwidek Project Manager Lighthouse I.T. Consulting, Inc. On Tue, Nov 17, 2009 at 10:57 PM, Dr. Loboto wrote: > When data is saved to DB Cake properly escape it so no problem with > SQL Injection and no need to sanitize before. > > When data is displayed using of h() function will "secure" it enough. > > With such approach you face problems only when allow users post HTML > (for example, with WYSIWYG editor). In this case nor h() nor Sanitize > can save you as both of them cannot be used in such case. > > On Nov 18, 4:07 am, "Dave" wrote: > > I have asked a few questions about data sanitization and got different > > responses. > > Some people say just don't sanitize and use echo h() other say always > > sanitize. > > Books say never trust what the user enters so always clean data before > > saving. > > > > I know every app has different requirements but as a general rule what do > > you do? > > > > Just looking for feedback as to different methods for each baker. > > > > Thanks > > > > Dave > > -- > > You received this message because you are subscribed to the Google Groups > "CakePHP" group. > To post to this group, send email to cake-...@googlegroups.com. > To unsubscribe from this group, send email to > cake-php+unsubscr...@googlegroups.com > . > For more options, visit this group at > http://groups.google.com/group/cake-php?hl=. > > > -- You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-...@googlegroups.com. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/cake-php?hl=.
Re: To Sanitize or not? :: Public Opinion
When data is saved to DB Cake properly escape it so no problem with SQL Injection and no need to sanitize before. When data is displayed using of h() function will "secure" it enough. With such approach you face problems only when allow users post HTML (for example, with WYSIWYG editor). In this case nor h() nor Sanitize can save you as both of them cannot be used in such case. On Nov 18, 4:07 am, "Dave" wrote: > I have asked a few questions about data sanitization and got different > responses. > Some people say just don't sanitize and use echo h() other say always > sanitize. > Books say never trust what the user enters so always clean data before > saving. > > I know every app has different requirements but as a general rule what do > you do? > > Just looking for feedback as to different methods for each baker. > > Thanks > > Dave -- You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-...@googlegroups.com. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/cake-php?hl=.
Re: To Sanitize or not? :: Public Opinion
If you filter and validate the data before saving it to the database, then theres no need for Sanitization... unless you allow them to use HTML. On Nov 17, 3:00 pm, Marcelo Andrade wrote: > On Tue, Nov 17, 2009 at 7:07 PM, Dave wrote: > > I have asked a few questions about data sanitization and got different > > responses. > > Some people say just don't sanitize and use echo h() other say always > > sanitize. > > Books say never trust what the user enters so always clean data before > > saving. > > I think you said all. Never trust data from the user. I vote for always > sanitize. You never know when you'll face a "Bobby Tables" user. > > http://xkcd.com/327/ > > Best regards. > > -- > MARCELO DE F. ANDRADE > Belem, PA, Amazonia, Brazil > Linux User #221105 -- You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-...@googlegroups.com. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/cake-php?hl=.
Re: To Sanitize or not? :: Public Opinion
On Tue, Nov 17, 2009 at 7:07 PM, Dave wrote: > I have asked a few questions about data sanitization and got different > responses. > Some people say just don't sanitize and use echo h() other say always > sanitize. > Books say never trust what the user enters so always clean data before > saving. I think you said all. Never trust data from the user. I vote for always sanitize. You never know when you'll face a "Bobby Tables" user. http://xkcd.com/327/ Best regards. -- MARCELO DE F. ANDRADE Belem, PA, Amazonia, Brazil Linux User #221105 -- You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-...@googlegroups.com. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/cake-php?hl=.
To Sanitize or not? :: Public Opinion
I have asked a few questions about data sanitization and got different responses. Some people say just don't sanitize and use echo h() other say always sanitize. Books say never trust what the user enters so always clean data before saving. I know every app has different requirements but as a general rule what do you do? Just looking for feedback as to different methods for each baker. Thanks Dave -- You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-...@googlegroups.com. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/cake-php?hl=.
Re: Sanitize:: clean help
nice approach... euromark.
On Nov 1, 9:23 am, "euromark (munich)"
wrote:
> way to complicated
>
> dont sanitize it
> and use h() for output (text, varchar)
>
> that is way more handy than any other approach
>
> On 1 Nov., 06:44, Kyle Decot wrote:
>
> > Try echo $form->input("description",array("value"=>html_entity_decode(@
> > $this->data["Model"]["description"])));
>
> > On Oct 31, 5:29 pm, "Dave" wrote:
>
> > > Can someone help me out with this fairly simple question.
>
> > > I am doing:
>
> > > $clean = new Sanitize();
> > > $this->data = $clean->clean($this->data);
>
> > > Now if a user enters quotes brackets or what not it gets converted to
> > > <script> which is fine for saving to the db I suppose. But when they
> > > go back to edit the entry the input is <script> how can i convert it
> > > back to what it was before? So it is readable.
> > > I want the data to be safe for the db but also be able to be editable by
> > > the
> > > end user.
>
> > > I tried echo $form->input(html_entity_decode('description'));but still
> > > comes
> > > out all mangled
>
> > > Thanks
>
> > > Dave
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Sanitize:: clean help
way to complicated
dont sanitize it
and use h() for output (text, varchar)
that is way more handy than any other approach
On 1 Nov., 06:44, Kyle Decot wrote:
> Try echo $form->input("description",array("value"=>html_entity_decode(@
> $this->data["Model"]["description"])));
>
> On Oct 31, 5:29 pm, "Dave" wrote:
>
> > Can someone help me out with this fairly simple question.
>
> > I am doing:
>
> > $clean = new Sanitize();
> > $this->data = $clean->clean($this->data);
>
> > Now if a user enters quotes brackets or what not it gets converted to
> > <script> which is fine for saving to the db I suppose. But when they
> > go back to edit the entry the input is <script> how can i convert it
> > back to what it was before? So it is readable.
> > I want the data to be safe for the db but also be able to be editable by the
> > end user.
>
> > I tried echo $form->input(html_entity_decode('description'));but still comes
> > out all mangled
>
> > Thanks
>
> > Dave
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Sanitize:: clean help
Try echo $form->input("description",array("value"=>html_entity_decode(@
$this->data["Model"]["description"])));
On Oct 31, 5:29 pm, "Dave" wrote:
> Can someone help me out with this fairly simple question.
>
> I am doing:
>
> $clean = new Sanitize();
> $this->data = $clean->clean($this->data);
>
> Now if a user enters quotes brackets or what not it gets converted to
> <script> which is fine for saving to the db I suppose. But when they
> go back to edit the entry the input is <script> how can i convert it
> back to what it was before? So it is readable.
> I want the data to be safe for the db but also be able to be editable by the
> end user.
>
> I tried echo $form->input(html_entity_decode('description'));but still comes
> out all mangled
>
> Thanks
>
> Dave
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Sanitize:: clean help
Can someone help me out with this fairly simple question.
I am doing:
$clean = new Sanitize();
$this->data = $clean->clean($this->data);
Now if a user enters quotes brackets or what not it gets converted to
<script> which is fine for saving to the db I suppose. But when they
go back to edit the entry the input is <script> how can i convert it
back to what it was before? So it is readable.
I want the data to be safe for the db but also be able to be editable by the
end user.
I tried echo $form->input(html_entity_decode('description'));but still comes
out all mangled
Thanks
Dave
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Odd code in sanitize core lib?
I thought this was the case too (I use Consolas fwiw), so I pasted the
code into an empty text editor (TextWrangler) and did a search for
'!', and it returned two results. What font are you using to view the
code, making the search and replace strings different? As far as I can
tell, the search and replace strings are identical.
I'm guessing it's some sort of testing code that wasn't cleaned up
during the refactoring process...? I don't know.
But yeah -- this isn't a ground-breaking drop-what-you're-doing kind
of thing, just out of curiosity I was just wondering why that's there.
On Oct 29, 11:47 pm, Martin Westin wrote:
> I am just guessing here but couldn't it be replacing "looks like an
> exclamation but is really far out into outfer space" with a normal
> exclamation?
>
> Using a "bad" font and the code look different.
>
> On Oct 29, 7:32 am, Miles J wrote:
>
> > I thought you were lying so I checked, and haha it is there. Im
> > curious on this as well.
>
> > On Oct 28, 8:51 pm, George H wrote:
>
> > > Hi guys,
>
> > > I've been debugging my controller that is using Sanitize and I had a
> > > peek inside the CakePHP Sanitize core lib file, where I found
> > > something odd.
>
> > > Is it possible if someone could explain to me (I'm just genuinely
> > > curious) the reasoning behind line 223 in /cake/libs/sanitize.php
> > > (version 1.2.5)?
>
> > > $data = str_replace("'", "'", str_replace("!", "!", $data));
>
> > > From what I can tell, this line is replacing ! chars with !, and then
> > > replacing ' chars with '. I've done some checks and the search and
> > > replace strings are exactly the same.
>
> > > As I mentioned, I am genuinely curious (probably more curious if I am
> > > lost my marbles or not and maybe I'm seeing things), so any core devs
> > > out there please do not see this as a personal attack on you, or your
> > > intelligence, or ability to cut good code, etc etc.
>
> > > Cheers,
> > > -- George
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Odd code in sanitize core lib?
I am just guessing here but couldn't it be replacing "looks like an
exclamation but is really far out into outfer space" with a normal
exclamation?
Using a "bad" font and the code look different.
On Oct 29, 7:32 am, Miles J wrote:
> I thought you were lying so I checked, and haha it is there. Im
> curious on this as well.
>
> On Oct 28, 8:51 pm, George H wrote:
>
>
>
> > Hi guys,
>
> > I've been debugging my controller that is using Sanitize and I had a
> > peek inside the CakePHP Sanitize core lib file, where I found
> > something odd.
>
> > Is it possible if someone could explain to me (I'm just genuinely
> > curious) the reasoning behind line 223 in /cake/libs/sanitize.php
> > (version 1.2.5)?
>
> > $data = str_replace("'", "'", str_replace("!", "!", $data));
>
> > From what I can tell, this line is replacing ! chars with !, and then
> > replacing ' chars with '. I've done some checks and the search and
> > replace strings are exactly the same.
>
> > As I mentioned, I am genuinely curious (probably more curious if I am
> > lost my marbles or not and maybe I'm seeing things), so any core devs
> > out there please do not see this as a personal attack on you, or your
> > intelligence, or ability to cut good code, etc etc.
>
> > Cheers,
> > -- George
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Odd code in sanitize core lib?
I thought you were lying so I checked, and haha it is there. Im
curious on this as well.
On Oct 28, 8:51 pm, George H wrote:
> Hi guys,
>
> I've been debugging my controller that is using Sanitize and I had a
> peek inside the CakePHP Sanitize core lib file, where I found
> something odd.
>
> Is it possible if someone could explain to me (I'm just genuinely
> curious) the reasoning behind line 223 in /cake/libs/sanitize.php
> (version 1.2.5)?
>
> $data = str_replace("'", "'", str_replace("!", "!", $data));
>
> From what I can tell, this line is replacing ! chars with !, and then
> replacing ' chars with '. I've done some checks and the search and
> replace strings are exactly the same.
>
> As I mentioned, I am genuinely curious (probably more curious if I am
> lost my marbles or not and maybe I'm seeing things), so any core devs
> out there please do not see this as a personal attack on you, or your
> intelligence, or ability to cut good code, etc etc.
>
> Cheers,
> -- George
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Odd code in sanitize core lib?
Hi guys,
I've been debugging my controller that is using Sanitize and I had a
peek inside the CakePHP Sanitize core lib file, where I found
something odd.
Is it possible if someone could explain to me (I'm just genuinely
curious) the reasoning behind line 223 in /cake/libs/sanitize.php
(version 1.2.5)?
$data = str_replace("'", "'", str_replace("!", "!", $data));
>From what I can tell, this line is replacing ! chars with !, and then
replacing ' chars with '. I've done some checks and the search and
replace strings are exactly the same.
As I mentioned, I am genuinely curious (probably more curious if I am
lost my marbles or not and maybe I'm seeing things), so any core devs
out there please do not see this as a personal attack on you, or your
intelligence, or ability to cut good code, etc etc.
Cheers,
-- George
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Sanitize::clean on AfterFind on AppModel
Dont you mean beforeSave()? Why would you sanitize after grabbing data? http://www.milesj.me/blog/read/47/Automatically-Sanitizing-Data-With-BeforeSave http://www.milesj.me/blog/read/49/Stripping-HTML-Automatically-From-Your-Data On Oct 23, 1:56 pm, Lucas Costa wrote: > Hello fellows, > > what do you think about putting an Sanitize::clean on the AfterFind of every > Model? > > Wouldn't that ensure same security and a lot less code? > > What would be the down side? > > Regards... --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Sanitize::clean on AfterFind on AppModel
Hello fellows, what do you think about putting an Sanitize::clean on the AfterFind of every Model? Wouldn't that ensure same security and a lot less code? What would be the down side? Regards... --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: sanitize and echoing in html
hi all,
forget about it:
On Aug 24, 10:18 am, ezekfred wrote:
> > Vielen danke!
> >
> > I didn't knew this "nl2br"!
> >
> > here is my way to do (with sanitize...)
> >
> > > App::import('Sanitize');
> >
> > class MyController extends AppController {
> > function add() {
> > if (!empty($this->data)) {
> >$this->data = Sanitize::clean($this->data);
> >$this->Mydata->create();
> >
> > }
> >
> > function edit($id = null) {
> > if (!empty($this->data)) {
> > $this->data = Sanitize::clean($this->data);
> > if ($this->Mydata->save($this->data)) {
> >
> > }
> > }
> >
> > }
> >
> > ?>
> >
> > and in my view template index.ctp
> >
> >
> > thanks again.
> >
> > On Aug 21, 5:57 pm, "euromark (munich)"
> > wrote:
> >
>> > > always the same^^
> >
>> > > no sanitizing neccessary
>> > > just use h($var) in the view
> >
>> > > and for textareas
>> > > nl2br(h($var))
> >
>> > > thats all
> >
>> > > On 21 Aug., 16:55, ezekfred wrote:
> >
>>> > > > Hello,
> >
>>> > > > I'm having some issues with my views.
> >
>>> > > > add.ctp: echo $form->input('theanswer');
>>> > > > view.ctp: echo $data['theanswer'];
> >
>>> > > > in my database theanswer is a TEXT field
> >
>>> > > > I just want to allow people make use of carriage return,
>>> > > > I want to display these CR in view.ctp and index.ctp
>>> > > > but I don't want them to write scripts like alert
>>> > > > ("EXPLETIVES!!!")
> >
>>> > > > I've tried to sanitize::clean the input, to sanitize::html the output
>>> > > > but I'm unable to get an output like that:
>>> > > > "Line1
>>> > > > Line2
>>> > > > "
> >
>>> > > > Has anyone an idea?
> >
>>> > > > thanks for your help!
> >
euromark was right:
no sanitizing necessary: just use h($var) in the view
and for textareas: nl2br(h($var))
I've found my issue: I was using an old version of debug kit...
with the last one (1.1) everything is ok with h($myvars)
Thank you again Mister Euromark.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: sanitize and echoing in html
Vielen danke!
I didn't knew this "nl2br"!
here is my way to do (with sanitize...)
data)) {
$this->data = Sanitize::clean($this->data);
$this->Mydata->create();
}
function edit($id = null) {
if (!empty($this->data)) {
$this->data = Sanitize::clean($this->data);
if ($this->Mydata->save($this->data)) {
}
}
}
?>
and in my view template index.ctp
thanks again.
On Aug 21, 5:57 pm, "euromark (munich)"
wrote:
> always the same^^
>
> no sanitizing neccessary
> just use h($var) in the view
>
> and for textareas
> nl2br(h($var))
>
> thats all
>
> On 21 Aug., 16:55, ezekfred wrote:
>
> > Hello,
>
> > I'm having some issues with my views.
>
> > add.ctp: echo $form->input('theanswer');
> > view.ctp: echo $data['theanswer'];
>
> > in my database theanswer is a TEXT field
>
> > I just want to allow people make use of carriage return,
> > I want to display these CR in view.ctp and index.ctp
> > but I don't want them to write scripts like alert
> > ("EXPLETIVES!!!")
>
> > I've tried to sanitize::clean the input, to sanitize::html the output
> > but I'm unable to get an output like that:
> > "Line1
> > Line2
> > "
>
> > Has anyone an idea?
>
> > thanks for your help!
>
>
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: sanitize and echoing in html
always the same^^
no sanitizing neccessary
just use h($var) in the view
and for textareas
nl2br(h($var))
thats all
On 21 Aug., 16:55, ezekfred wrote:
> Hello,
>
> I'm having some issues with my views.
>
> add.ctp: echo $form->input('theanswer');
> view.ctp: echo $data['theanswer'];
>
> in my database theanswer is a TEXT field
>
> I just want to allow people make use of carriage return,
> I want to display these CR in view.ctp and index.ctp
> but I don't want them to write scripts like alert
> ("EXPLETIVES!!!")
>
> I've tried to sanitize::clean the input, to sanitize::html the output
> but I'm unable to get an output like that:
> "Line1
> Line2
> "
>
> Has anyone an idea?
>
> thanks for your help!
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
sanitize and echoing in html
Hello,
I'm having some issues with my views.
add.ctp: echo $form->input('theanswer');
view.ctp: echo $data['theanswer'];
in my database theanswer is a TEXT field
I just want to allow people make use of carriage return,
I want to display these CR in view.ctp and index.ctp
but I don't want them to write scripts like alert
("EXPLETIVES!!!")
I've tried to sanitize::clean the input, to sanitize::html the output
but I'm unable to get an output like that:
"Line1
Line2
"
Has anyone an idea?
thanks for your help!
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: De-sanitize for Text Boxes
there are many reason for it, and almost none against it
so yes, i would advice you to do so
sanitizing is not neccessary if you make sure all your view outputs
are specialchared with
h()
like
echo h($data[Model][title]);
html-helper functions like §html->link() do that for you right away
anyway
this way you wont run in any of your current problems
mark
On 4 Aug., 01:07, Ponch316 wrote:
> I didn't set the encoding for UTF8. Should I? Are there any other
> encoding related specifications I should follow?
>
> Thanks.
>
> On Aug 2, 1:41 am, "euromark (munich)"
> wrote:
>
> > just dont sanitize them in the first place
> > the problem must be caused by something else
> > usually cake escapes them automatically
>
> > is everything UTF-8? especially the db? (careful: utf8 not uft-8
> > here!)
>
> > On 2 Aug., 03:34, Ponch316 wrote:
>
> > > Hi,
>
> > > I'm new to CakePHP and I came across a little problem.
>
> > > I created a scaffold to upload a list of schools to my database and
> > > after uploading about 400, I noticed that some of the schools were
> > > disappearing both from the scaffold view and the database. Since no
> > > one else has access to my system, I realized that the only possible
> > > reason for that is that some characters I entered, like apostrophes
> > > ('), hyphens (-), and commas (,), caused trouble in the database
> > > somehow.
>
> > > I created a new scaffold using Bake and decided use Sanitize::clean()
> > > before saving. So far, schools are no longer disappearing, but when I
> > > try to edit one of these, the characters are NOT displayed correctly
> > > in the text boxes (e.g: O'Malley). I tried using the PHP method
> > > htmlspecialchars_decode() (http://us.php.net/htmlspecialchars_decode)
> > > before sending $this->data to the view but it didn't work, characters
> > > are still showing up like that.
>
> > > I was wondering if someone could help me to solve this problem. I
> > > don't know if I'm doing something wrong, cuz I'm very surprised that
> > > Cake has problems handling special characters, since a lot of last
> > > names use apostrophes. If you think I should use a different approach,
> > > please let me know as well.
>
> > > Thanks in advance.
> > > Ponch316
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: De-sanitize for Text Boxes
I didn't set the encoding for UTF8. Should I? Are there any other
encoding related specifications I should follow?
Thanks.
On Aug 2, 1:41 am, "euromark (munich)"
wrote:
> just dont sanitize them in the first place
> the problem must be caused by something else
> usually cake escapes them automatically
>
> is everything UTF-8? especially the db? (careful: utf8 not uft-8
> here!)
>
> On 2 Aug., 03:34, Ponch316 wrote:
>
> > Hi,
>
> > I'm new to CakePHP and I came across a little problem.
>
> > I created a scaffold to upload a list of schools to my database and
> > after uploading about 400, I noticed that some of the schools were
> > disappearing both from the scaffold view and the database. Since no
> > one else has access to my system, I realized that the only possible
> > reason for that is that some characters I entered, like apostrophes
> > ('), hyphens (-), and commas (,), caused trouble in the database
> > somehow.
>
> > I created a new scaffold using Bake and decided use Sanitize::clean()
> > before saving. So far, schools are no longer disappearing, but when I
> > try to edit one of these, the characters are NOT displayed correctly
> > in the text boxes (e.g: O'Malley). I tried using the PHP method
> > htmlspecialchars_decode() (http://us.php.net/htmlspecialchars_decode)
> > before sending $this->data to the view but it didn't work, characters
> > are still showing up like that.
>
> > I was wondering if someone could help me to solve this problem. I
> > don't know if I'm doing something wrong, cuz I'm very surprised that
> > Cake has problems handling special characters, since a lot of last
> > names use apostrophes. If you think I should use a different approach,
> > please let me know as well.
>
> > Thanks in advance.
> > Ponch316
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: De-sanitize for Text Boxes
just dont sanitize them in the first place
the problem must be caused by something else
usually cake escapes them automatically
is everything UTF-8? especially the db? (careful: utf8 not uft-8
here!)
On 2 Aug., 03:34, Ponch316 wrote:
> Hi,
>
> I'm new to CakePHP and I came across a little problem.
>
> I created a scaffold to upload a list of schools to my database and
> after uploading about 400, I noticed that some of the schools were
> disappearing both from the scaffold view and the database. Since no
> one else has access to my system, I realized that the only possible
> reason for that is that some characters I entered, like apostrophes
> ('), hyphens (-), and commas (,), caused trouble in the database
> somehow.
>
> I created a new scaffold using Bake and decided use Sanitize::clean()
> before saving. So far, schools are no longer disappearing, but when I
> try to edit one of these, the characters are NOT displayed correctly
> in the text boxes (e.g: O'Malley). I tried using the PHP method
> htmlspecialchars_decode() (http://us.php.net/htmlspecialchars_decode)
> before sending $this->data to the view but it didn't work, characters
> are still showing up like that.
>
> I was wondering if someone could help me to solve this problem. I
> don't know if I'm doing something wrong, cuz I'm very surprised that
> Cake has problems handling special characters, since a lot of last
> names use apostrophes. If you think I should use a different approach,
> please let me know as well.
>
> Thanks in advance.
> Ponch316
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
De-sanitize for Text Boxes
Hi,
I'm new to CakePHP and I came across a little problem.
I created a scaffold to upload a list of schools to my database and
after uploading about 400, I noticed that some of the schools were
disappearing both from the scaffold view and the database. Since no
one else has access to my system, I realized that the only possible
reason for that is that some characters I entered, like apostrophes
('), hyphens (-), and commas (,), caused trouble in the database
somehow.
I created a new scaffold using Bake and decided use Sanitize::clean()
before saving. So far, schools are no longer disappearing, but when I
try to edit one of these, the characters are NOT displayed correctly
in the text boxes (e.g: O'Malley). I tried using the PHP method
htmlspecialchars_decode() (http://us.php.net/htmlspecialchars_decode)
before sending $this->data to the view but it didn't work, characters
are still showing up like that.
I was wondering if someone could help me to solve this problem. I
don't know if I'm doing something wrong, cuz I'm very surprised that
Cake has problems handling special characters, since a lot of last
names use apostrophes. If you think I should use a different approach,
please let me know as well.
Thanks in advance.
Ponch316
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Allow some html tags in Sanitize::html()
On Tue, Jul 28, 2009 at 3:56 PM, euromark (munich) < dereurom...@googlemail.com> wrote: > > or the htmlpurifier library Html purifier is too heavy for what I want to do, and strip_tags() is not enought secure. I'm going to user Sanitize::html() and bbcode. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Allow some html tags in Sanitize::html()
or the htmlpurifier library On 28 Jul., 11:47, majna wrote: > There is no way. > Use PHP's strip_tags() and htmlentities() instead > > On Jul 28, 12:30 am, Arnau Alcázar Lleopart > wrote: > > > Does anybody knows if there is any way to allow some html tags in > > function Sanitize::html()? > > > Thanks in advance! --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Allow some html tags in Sanitize::html()
There is no way. Use PHP's strip_tags() and htmlentities() instead On Jul 28, 12:30 am, Arnau Alcázar Lleopart wrote: > Does anybody knows if there is any way to allow some html tags in > function Sanitize::html()? > > Thanks in advance! --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Allow some html tags in Sanitize::html()
Does anybody knows if there is any way to allow some html tags in function Sanitize::html()? Thanks in advance! --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Using HtmlHelper::autolink and Sanitize::clean together
Figured out a solution: using h() - cake's htmlspecialchars() wrapper - works together with autolink, whilst maintaining HtmlHelper::autolink functionality just fine. Still, if someone has any thoughts on other solutions, involving the use of the Sanitize::html method, I'd love to hear about it... --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Using HtmlHelper::autolink and Sanitize::clean together
Hi all, I've run into a little trouble, which I can't seem to get myself out of: for certain user input, I want to Sanitize::html() the input when echoing in my template. So far so good, the Sanitize class does its job pretty good. Unfortunately, I really like the HtmlHelper::autolink method for this kind of input too, so people's input gets linked automatically. Is there any way of achieving this, combining the two methods? In my case, it works well, until I enter a url with characters that Sanitize::html() cleans up; unfortunately, some of these chars are valid characters for a url (like '&', or '-'), and cleaning text like this renders the urls useless. For example: a url like http://www.test-test.com will get malformed to http://www.test&/#45;test.com when doing a $html->autolink (Sanitize::html($url)); What's the best way to deal with this, preferably without sacrificing on CakePHP's excellent html helper or Sanitize class? Thanks, Jeroen --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Calling Sanitize::clean() in AppModel beforeSave()?
Well I tried it and it works, but it messes up any serialized arrays that you insert into the database. So I had to do a work around for those, but thats the only problem I ran into so far. On Jul 13, 1:41 pm, Miles J wrote: > Has anyone done this before? Im planning on doing this because its a > lot easier instead of doing it separately everywhere else. Are there > any downsides to doing this? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Calling Sanitize::clean() in AppModel beforeSave()?
Has anyone done this before? Im planning on doing this because its a lot easier instead of doing it separately everywhere else. Are there any downsides to doing this? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
auth login & sanitize
Hari, It looks auth component does not use sanitize for cleaning the given username. Password is hashed so it should not be a problem, but as I see username is used as it is. Is it right? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Sanitize
Also, there's no need to manually call beforeSave(). In fact, you were
trying to call it *after* the save() had been done.
On Wed, Apr 22, 2009 at 7:06 AM, John Andersen wrote:
>
> Hi Dave,
>
> In your model, add the Sanitize usage, then in your controller, just
> save as normal. Like:
>
> Model:
> function beforeSave() {
> App::import('Sanitize');
> $this->data = Sanitize::paranoid( $this->data );
> }
>
> Controller:
> ...
> if ( $this->User->save( $this->data ) ) {
> // All is well with the save, it was validated, sanitized and
> saved.
> } else {
> // Woa, failed validattion and thus not saved!
> }
>
> Enjoy,
> John
>
>
>
> On Apr 21, 9:37 pm, "Dave Maharaj :: WidePixels.com"
> wrote:
>> Would something like this work for cleaning data?
>>
>> function beforeSave() {
>> App::import('Sanitize');
>> Sanitize::paranoid($this->data);
>> }
>>
>> and then in the controller
>>
>> if ($this->User->save($this->data)) {
>>
>> $this->beforeSave();
>>
>> }
>>
>> trying to figure out a way to clean the data easier rather than adding to
>> the cotroller
>>
>> $this->params['form']['value'] =
>> Sanitize::clean($this->params['form']['value'], array(' '));
>>
>> Thanks,
>>
>> Dave
> >
>
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Sanitize
Hi Dave,
In your model, add the Sanitize usage, then in your controller, just
save as normal. Like:
Model:
function beforeSave() {
App::import('Sanitize');
$this->data = Sanitize::paranoid( $this->data );
}
Controller:
...
if ( $this->User->save( $this->data ) ) {
// All is well with the save, it was validated, sanitized and
saved.
} else {
// Woa, failed validattion and thus not saved!
}
Enjoy,
John
On Apr 21, 9:37 pm, "Dave Maharaj :: WidePixels.com"
wrote:
> Would something like this work for cleaning data?
>
> function beforeSave() {
> App::import('Sanitize');
> Sanitize::paranoid($this->data);
> }
>
> and then in the controller
>
> if ($this->User->save($this->data)) {
>
> $this->beforeSave();
>
> }
>
> trying to figure out a way to clean the data easier rather than adding to
> the cotroller
>
> $this->params['form']['value'] =
> Sanitize::clean($this->params['form']['value'], array(' '));
>
> Thanks,
>
> Dave
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Sanitize
Would something like this work for cleaning data?
function beforeSave() {
App::import('Sanitize');
Sanitize::paranoid($this->data);
}
and then in the controller
if ($this->User->save($this->data)) {
$this->beforeSave();
}
trying to figure out a way to clean the data easier rather than adding to
the cotroller
$this->params['form']['value'] =
Sanitize::clean($this->params['form']['value'], array(' '));
Thanks,
Dave
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Sanitize Question
Doesn't seem like it would be necessary...
The only data that's "dangerous" for your DB is any sort of SQL
exploit, which you are already protected from by the core.
(i.e. the values are escaped before insertion or selection from DB).
On the other hand, you do need to make your data safe in the view...
so that one cannot add malicious javascript as part of the comments,
for example.
cake has a handy function h(), which you can use like: echo h
($someData); ... which will escape HTML chars and prevent script
injection, etc.
On Dec 19, 3:44 pm, Tim wrote:
> I want to sanitize the post before working with it or saving it to the
> database.
>
> Like this:
> App::import('Sanitize');
> $this->data['Upload'] = Sanitize::clean($this->data['Upload']);
> ?>
>
> I have two questions:
> 1) Is this even necessary? Is this going to do anything for me or is
> it already being done?
> 2) After I change "<>$%$" to this "<>$%$" with the
> sanitizer; how do I get it back to "<>$%$" in the view? Is there a
> helper for this?
>
> Any help is appreciated. There are a few other unanswered posts about
> this...
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Sanitize Question
I want to sanitize the post before working with it or saving it to the database. Like this: data['Upload'] = Sanitize::clean($this->data['Upload']); ?> I have two questions: 1) Is this even necessary? Is this going to do anything for me or is it already being done? 2) After I change "<>$%$" to this "<>$%$" with the sanitizer; how do I get it back to "<>$%$" in the view? Is there a helper for this? Any help is appreciated. There are a few other unanswered posts about this... --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Sanitize::html replacing newlines with literal \n
Thanks. Strange that your newlines were double backslashed. Your post put me
on the right track. I am using pre tags in my markup and didn't want to have
to go through all of my controllers looking for each instance of
Sanitize::clean, so I now have this as line 236 in sanitize.php:
$data = str_replace('\n', "\n", $data);
mathew-2 wrote:
>
>
> If you read my post further up from today. I already posted the source
> code that resolves your problem.
> >
>
>
--
View this message in context:
http://n2.nabble.com/Sanitize%3A%3Ahtml-replacing-newlines-with-literal-%5Cn-tp1608411p1615174.html
Sent from the CakePHP mailing list archive at Nabble.com.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Sanitize::html replacing newlines with literal \n
If you read my post further up from today. I already posted the source code that resolves your problem. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Sanitize::html replacing newlines with literal \n
My bad. You're right. I just realized that I while I thought commenting that line out in sanitize.php did the trick, it actually worked because I'd commented out the call to Sanitize::clean() in my controller. So it's not Sanitize::html() that's the problem. Looks like I am back to square one... How can I prevent newlines being converted to literal \n? mathew-2 wrote: > > > That function is not called from Sanitize::html() > > > > > -- View this message in context: http://n2.nabble.com/Sanitize%3A%3Ahtml-replacing-newlines-with-literal-%5Cn-tp1608411p1615054.html Sent from the CakePHP mailing list archive at Nabble.com. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Sanitize::html replacing newlines with literal \n
That function is not called from Sanitize::html() --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Sanitize::html replacing newlines with literal \n
1.2 RC3 cake/libs/sanitize.php line 147 mathew-2 wrote: > > > What version of Cake are you using? > > > > -- View this message in context: http://n2.nabble.com/Sanitize%3A%3Ahtml-replacing-newlines-with-literal-%5Cn-tp1608411p1614961.html Sent from the CakePHP mailing list archive at Nabble.com. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Sanitize::html replacing newlines with literal \n
What version of Cake are you using? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Sanitize::html replacing newlines with literal \n
@Matthew: Yes it does. I commented it out and it fixed the problem. -- View this message in context: http://n2.nabble.com/Sanitize%3A%3Ahtml-replacing-newlines-with-literal-%5Cn-tp1608411p1614924.html Sent from the CakePHP mailing list archive at Nabble.com. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Sanitize::html replacing newlines with literal \n
Sanitize::html does not call stripWhitespace().
Sanitize::html replaces special characters with html escaped
characters, but I believe it leaves \n alone since the backslash does
not need escaping in html.
I am able to sanitize my data while retaining the new line character.
The only problem I've had is that the SQL cleaner adds an extra
backslash but otherwise it works fine for me.
$this->data['Document']['comments'] = $this->cleaner->html( $this->data
['Document']['comments'], true );
$this->data = $this->cleaner->clean( $this->data );
$this->data['Document']['comments'] = str_replace("\\n","",$this-
>data['Document']['comments']);
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Sanitize::html replacing newlines with literal \n
Looking at http://api.cakephp.org/sanitize_8php-source.html#l00103 it appears that stripWhitespace() is the offending function. I'd rather not modify the Cake core, so is there another way to change this function to suit my needs? -- View this message in context: http://n2.nabble.com/Sanitize%3A%3Ahtml-replacing-newlines-with-literal-%5Cn-tp1608411p1610985.html Sent from the CakePHP mailing list archive at Nabble.com. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Sanitize::html replacing newlines with literal \n
When Sanitize::html runs on data, it is changing newlines to \n. When I look at my data in MySQL, it's literally filled with \n characters. This renders both PRE and nl2br() because they're looking for newlines, not the characters \n. How can I get Sanitize::html to leave the newlines alone instead of converting to \n? Thanks! -- View this message in context: http://n2.nabble.com/Sanitize%3A%3Ahtml-replacing-newlines-with-literal-%5Cn-tp1608411p1608411.html Sent from the CakePHP mailing list archive at Nabble.com. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Sanitize, weird. Class 'App' not found.
@Dardo Sordi: Ah yes, you are right, I should have read it more thoroughly. Thanks for correcting me! -- Daniel Hofstetter http://cakebaker.42dh.com --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Sanitize, weird. Class 'App' not found.
If you are using 1.1 there is no App class and as such you must use
uses()
-Mark
On Nov 18, 3:10 am, "Louie Miranda" <[EMAIL PROTECTED]> wrote:
> App::import('Sanitize');
> class CatalogsController extends AppController
> {
>
> *Fatal error*: Class 'App' not found in *
>
> > /Volumes/Web/Www/adminpage2/app/controllers/catalogs_controller.php* on
> > line *2*
>
> Its weird. I think this is the proper way of instantiating the App::import.
> However, I got the error -> Class 'App' not found? hehe.
>
> Any ideas? Do I have to clear my cache again? or check the import path?
> anyway, I am going to check again.
>
> --
> Louie Miranda ([EMAIL PROTECTED])http://blog.louiemiranda.net
>
> Security Is A Series Of Well-Defined Steps
> chmod -R 0 / ; and smile :)
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Sanitize, weird. Class 'App' not found.
@Daniel
> *Fatal error*: Class 'App' not found in *
That means there is not such class... so changing parameters would
make no difference.
@Louie: Are you using Cake 1.2? If yes, then it is a very old one...
If not, App::import() is for Cake 1.2
Regards,
- Dardo Sordi.
On Tue, Nov 18, 2008 at 7:33 AM, Daniel Hofstetter <[EMAIL PROTECTED]> wrote:
>
> Hi Louie,
>
>> > App::import('Sanitize');
>> class CatalogsController extends AppController
>> {
>>
>> *Fatal error*: Class 'App' not found in *
>>
>> > /Volumes/Web/Www/adminpage2/app/controllers/catalogs_controller.php* on
>> > line *2*
>>
>> Its weird. I think this is the proper way of instantiating the App::import.
>> However, I got the error -> Class 'App' not found? hehe.
>>
>> Any ideas? Do I have to clear my cache again? or check the import path?
>> anyway, I am going to check again.
>
> Try App::import('Core', 'Sanitize');
>
> Hope that helps!
>
> --
> Daniel Hofstetter
> http://cakebaker.42dh.com
> >
>
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Sanitize, weird. Class 'App' not found.
Hi Louie,
> App::import('Sanitize');
> class CatalogsController extends AppController
> {
>
> *Fatal error*: Class 'App' not found in *
>
> > /Volumes/Web/Www/adminpage2/app/controllers/catalogs_controller.php* on
> > line *2*
>
> Its weird. I think this is the proper way of instantiating the App::import.
> However, I got the error -> Class 'App' not found? hehe.
>
> Any ideas? Do I have to clear my cache again? or check the import path?
> anyway, I am going to check again.
Try App::import('Core', 'Sanitize');
Hope that helps!
--
Daniel Hofstetter
http://cakebaker.42dh.com
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Sanitize, weird. Class 'App' not found.
However,
uses('sanitize');
Works.
Louie
On Tue, Nov 18, 2008 at 4:10 PM, Louie Miranda <[EMAIL PROTECTED]> wrote:
> App::import('Sanitize');
> class CatalogsController extends AppController
> {
>
> *Fatal error*: Class 'App' not found in *
>> /Volumes/Web/Www/adminpage2/app/controllers/catalogs_controller.php* on
>> line *2*
>>
>
> Its weird. I think this is the proper way of instantiating the App::import.
> However, I got the error -> Class 'App' not found? hehe.
>
> Any ideas? Do I have to clear my cache again? or check the import path?
> anyway, I am going to check again.
>
> --
> Louie Miranda ([EMAIL PROTECTED])
> http://blog.louiemiranda.net
>
> Security Is A Series Of Well-Defined Steps
> chmod -R 0 / ; and smile :)
>
--
Louie Miranda ([EMAIL PROTECTED])
http://blog.louiemiranda.net
Security Is A Series Of Well-Defined Steps
chmod -R 0 / ; and smile :)
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Sanitize, weird. Class 'App' not found.
/Volumes/Web/Www/adminpage2/app/controllers/catalogs_controller.php* on > line *2* > Its weird. I think this is the proper way of instantiating the App::import. However, I got the error -> Class 'App' not found? hehe. Any ideas? Do I have to clear my cache again? or check the import path? anyway, I am going to check again. -- Louie Miranda ([EMAIL PROTECTED]) http://blog.louiemiranda.net Security Is A Series Of Well-Defined Steps chmod -R 0 / ; and smile :) --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: undefined method Sanitize::sql()
Sanitize was never required to prevent sql injection as the dbo layer
handles that already by correctly escaping values. If you want to use
Sanitize make sure you App::import('Sanitize')
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
undefined method Sanitize::sql()
While trying to run the IBM's "Cook up Web sites fast with CakePHP" tutorial, I get the following error message. Fatal error: Call to undefined method Sanitize::sql() in C:\wamp\www \tor\app\controllers\users_controller.php on line 18 Every thing works until I add the Sanitize::sql methods. I'm using the tutorial code sample to run it, using Cakephp 1.2.0.7296-rc2. Reading through the newgroup, it sounds like we no longer need to use the Sanatize method. Its done automatically for you when you save... Can anyone verify this? Should the tutorial code work anyway? Any suggestions? Thanks. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Sanitize problem with writing negative numbers into db
The best part of sanitize that I found was the stripAll/stripScripts, if you want prevent things like XSS attacks. However, I'm a big fan of the HTMLPurifier that I'm already using in my app. I think for my app, I'm going to use the HTMLPurifier and create a function to loop through arrays of data, much like the Sanitize::clean, to clean up my data. Just some thoughts. Speaking of which, how does Sanitize::clean loop through an entire array? Is there some sort of method that's already built into cake that will do this? On Oct 10, 7:37 am, stefanski <[EMAIL PROTECTED]> wrote: > Hi folks, I want to clean up user input before saving into the > database, but when I Sanitize::clean($this->data) it changes negative > integer values like -10 into -10 and I get a database (Postgres) > error because - obviously - it's not an integer anymore. > > I want to avoid manually cleaning avery text field and wonder, what > other people - like you! - do ?? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Sanitize problem with writing negative numbers into db
Cake will escape your data before saving it to the database if you are using Model::save(), your model should validate the data so it's conforming to your application input requirements and cake helpers (form/html) will escape it when displaying and you can use the h() function for outputting data that can have bad html, so: Why are you using Sanitize ? On Fri, Oct 10, 2008 at 10:37 AM, stefanski <[EMAIL PROTECTED]> wrote: > > Hi folks, I want to clean up user input before saving into the > database, but when I Sanitize::clean($this->data) it changes negative > integer values like -10 into -10 and I get a database (Postgres) > error because - obviously - it's not an integer anymore. > > I want to avoid manually cleaning avery text field and wonder, what > other people - like you! - do ?? > > > --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
