htmlpurifier sanitize form data
Not sure if anyone is familiar with this plugin? i have it installed and
can sanaitize indiviual strings ie:
$test = Purifier::clean('stronghiscript$( document ).ready(function() {
alert(hacked!);});/script', 'general');
which is working fine but i want to sanitize my form data ie:
$this-request-data = Purifier::clean($this-request-data, 'general');
which is failing because its an array (see below). Surely there must be an
easier way to do this?
preg_match() expects parameter 2 to be string, array given
[*APP/Plugin/HtmlPurifier/Vendor/HtmlPurifier/library/HTMLPurifier/Lexer.php*,
line *316*]
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
CakePHP group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cake-php+unsubscr...@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
Re: htmlpurifier sanitize form data
You could use array_walk to do this if you know the model name it'd be
easier http://php.net/manual/en/function.array-walk.php
array_walk($this-request-data['Model'], '_purify')
On 11 August 2014 12:24, vbpupil vbpu...@gmail.com wrote:
Not sure if anyone is familiar with this plugin? i have it installed and
can sanaitize indiviual strings ie:
$test = Purifier::clean('stronghiscript$( document ).ready(function()
{ alert(hacked!);});/script', 'general');
which is working fine but i want to sanitize my form data ie:
$this-request-data = Purifier::clean($this-request-data, 'general');
which is failing because its an array (see below). Surely there must be an
easier way to do this?
preg_match() expects parameter 2 to be string, array given
[*APP/Plugin/HtmlPurifier/Vendor/HtmlPurifier/library/HTMLPurifier/Lexer.php*,
line *316*]
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
CakePHP group.
To unsubscribe from this group and stop receiving emails from it, send an
email to cake-php+unsubscr...@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
--
Kind Regards
Stephen Speakman
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
CakePHP group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cake-php+unsubscr...@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
Re: htmlpurifier sanitize form data
Maybe you want to use https://github.com/burzum/cakephp-html-purifier
instead.
Its also documented
mark
Am Montag, 11. August 2014 13:24:27 UTC+2 schrieb vbpupil:
Not sure if anyone is familiar with this plugin? i have it installed and
can sanaitize indiviual strings ie:
$test = Purifier::clean('stronghiscript$( document ).ready(function()
{ alert(hacked!);});/script', 'general');
which is working fine but i want to sanitize my form data ie:
$this-request-data = Purifier::clean($this-request-data, 'general');
which is failing because its an array (see below). Surely there must be an
easier way to do this?
preg_match() expects parameter 2 to be string, array given
[*APP/Plugin/HtmlPurifier/Vendor/HtmlPurifier/library/HTMLPurifier/Lexer.php*,
line *316*]
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
CakePHP group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cake-php+unsubscr...@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
Re: htmlpurifier sanitize form data
Thanks Mark
I wasnt able to find the solution there, unless im completely missing
something.
On Monday, August 11, 2014 12:43:48 PM UTC+1, euromark wrote:
Maybe you want to use https://github.com/burzum/cakephp-html-purifier
instead.
Its also documented
mark
Am Montag, 11. August 2014 13:24:27 UTC+2 schrieb vbpupil:
Not sure if anyone is familiar with this plugin? i have it installed and
can sanaitize indiviual strings ie:
$test = Purifier::clean('stronghiscript$( document ).ready(function()
{ alert(hacked!);});/script', 'general');
which is working fine but i want to sanitize my form data ie:
$this-request-data = Purifier::clean($this-request-data, 'general');
which is failing because its an array (see below). Surely there must be
an easier way to do this?
preg_match() expects parameter 2 to be string, array given
[*APP/Plugin/HtmlPurifier/Vendor/HtmlPurifier/library/HTMLPurifier/Lexer.php*,
line *316*]
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
CakePHP group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cake-php+unsubscr...@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
Re: htmlpurifier sanitize form data
If you used that I bet you wouldn't run into the error above.
As it handles it in a more clean way.
Am Montag, 11. August 2014 14:19:34 UTC+2 schrieb vbpupil:
Thanks Mark
I wasnt able to find the solution there, unless im completely missing
something.
On Monday, August 11, 2014 12:43:48 PM UTC+1, euromark wrote:
Maybe you want to use https://github.com/burzum/cakephp-html-purifier
instead.
Its also documented
mark
Am Montag, 11. August 2014 13:24:27 UTC+2 schrieb vbpupil:
Not sure if anyone is familiar with this plugin? i have it installed and
can sanaitize indiviual strings ie:
$test = Purifier::clean('stronghiscript$( document
).ready(function() { alert(hacked!);});/script', 'general');
which is working fine but i want to sanitize my form data ie:
$this-request-data = Purifier::clean($this-request-data, 'general');
which is failing because its an array (see below). Surely there must be
an easier way to do this?
preg_match() expects parameter 2 to be string, array given
[*APP/Plugin/HtmlPurifier/Vendor/HtmlPurifier/library/HTMLPurifier/Lexer.php*,
line *316*]
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
CakePHP group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cake-php+unsubscr...@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
Re: htmlpurifier sanitize form data
thanks Stephen
ill keep playing but wasnt able to get it working using this method, ill
keep reading the link you provided.
Im wondering if this is the right way to go or save all user data and strip
when i come to use the data. I know this is a little off topic but would be
interested in hearing your thoughts?
On Monday, August 11, 2014 12:31:29 PM UTC+1, Stephen S wrote:
You could use array_walk to do this if you know the model name it'd be
easier http://php.net/manual/en/function.array-walk.php
array_walk($this-request-data['Model'], '_purify')
On 11 August 2014 12:24, vbpupil vbp...@gmail.com javascript: wrote:
Not sure if anyone is familiar with this plugin? i have it installed and
can sanaitize indiviual strings ie:
$test = Purifier::clean('stronghiscript$( document ).ready(function()
{ alert(hacked!);});/script', 'general');
which is working fine but i want to sanitize my form data ie:
$this-request-data = Purifier::clean($this-request-data, 'general');
which is failing because its an array (see below). Surely there must be
an easier way to do this?
preg_match() expects parameter 2 to be string, array given
[*APP/Plugin/HtmlPurifier/Vendor/HtmlPurifier/library/HTMLPurifier/Lexer.php*,
line *316*]
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
CakePHP group.
To unsubscribe from this group and stop receiving emails from it, send an
email to cake-php+u...@googlegroups.com javascript:.
To post to this group, send email to cake...@googlegroups.com
javascript:.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
--
Kind Regards
Stephen Speakman
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
CakePHP group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cake-php+unsubscr...@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
Re: htmlpurifier sanitize form data
No, actually its not.
This approach should only be taken for HTML content going in when you are
providing WYSIWYG editors for the form inputs etc.
Otherwise, all normal text input posted should go into the DB without any
modification
Its a bad practice to filter those.
Simply use h() to secure the output upon display. Done.
mark
Am Montag, 11. August 2014 14:21:17 UTC+2 schrieb vbpupil:
thanks Stephen
ill keep playing but wasnt able to get it working using this method, ill
keep reading the link you provided.
Im wondering if this is the right way to go or save all user data and
strip when i come to use the data. I know this is a little off topic but
would be interested in hearing your thoughts?
On Monday, August 11, 2014 12:31:29 PM UTC+1, Stephen S wrote:
You could use array_walk to do this if you know the model name it'd be
easier http://php.net/manual/en/function.array-walk.php
array_walk($this-request-data['Model'], '_purify')
On 11 August 2014 12:24, vbpupil vbp...@gmail.com wrote:
Not sure if anyone is familiar with this plugin? i have it installed and
can sanaitize indiviual strings ie:
$test = Purifier::clean('stronghiscript$( document
).ready(function() { alert(hacked!);});/script', 'general');
which is working fine but i want to sanitize my form data ie:
$this-request-data = Purifier::clean($this-request-data, 'general');
which is failing because its an array (see below). Surely there must be
an easier way to do this?
preg_match() expects parameter 2 to be string, array given
[*APP/Plugin/HtmlPurifier/Vendor/HtmlPurifier/library/HTMLPurifier/Lexer.php*,
line *316*]
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google
Groups CakePHP group.
To unsubscribe from this group and stop receiving emails from it, send
an email to cake-php+u...@googlegroups.com.
To post to this group, send email to cake...@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
--
Kind Regards
Stephen Speakman
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
CakePHP group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cake-php+unsubscr...@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
Re: consoleShell Sanitize class
I did panic a little when I saw that Sanitize was being deprecated. I use it in all my models before save to clean inputs of non-HTML data. I even extended the Sanitize class to use htmlspecialchars instead of htmlentities (have to preserve accented characters, etc.). Anyway I prefer to sanitize input before being saved as opposed to just using h() on output. For non HTML fields I think a viable alternative is to use the filter functions in PHP, for example: http://php.net/manual/en/function.filter-var.php For HTML input I use the HTML Purifier library as a vendor package and use a component to clean the input before saving in the controller. Just updated the Brita component that was posted long time ago in the Bakery: http://bakery.cakephp.org/articles/debuggeddesigns/2008/11/04/brita-component-with-html-purifier -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/groups/opt_out.
consoleShell Sanitize class
Hi, I see from the 2.4.0-rc1 release notes that these two items are deprecated and will be removed in 3.x Two questions come to mind: 1) Why? 2) What are the recommended replacements? Thanks Jason -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/groups/opt_out.
Re: consoleShell Sanitize class
Sanitizing too harshly, or the way Sanitize was used in general, was usually a bad way of doing things. See https://github.com/cakephp/docs/pull/688/files for details Basically, you just need to always use h() in your output and you got everything you need. ConsoleShell does not need a replacement. Its kinda silly to use it when you can have a whole PHPUnit test suite at your disposal. Just write a simple test. Even if its just temporary. But if it's not this will also save you the trouble from retyping it again and again. It was an overhead to maintain this shell as nobody really ever uses it. Am Dienstag, 13. August 2013 12:31:45 UTC+2 schrieb Jason Bramley: Hi, I see from the 2.4.0-rc1 release notes that these two items are deprecated and will be removed in 3.x Two questions come to mind: 1) Why? 2) What are the recommended replacements? Thanks Jason -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups CakePHP group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/groups/opt_out.
Re: Why Sanitize::stripTags not working in controller index() function;
why would you want to do that in the first place
despite the fact that every line of code in your snippet seems to be
wrong^^
what you need is h() - in the view templates:
?php echo h($var); ?
thats all you need to escape and secure your views.
On 14 Dez., 07:08, Dave Maharaj m...@davemaharaj.com wrote:
Off the top of my head I do not think stripTags works over each element of
an array like $this-data
You would need to be specific to the key like
$this-data['GoogleNews']['content'] or whatever field. Check out
Sanitize::clean , that works thru the array of $this-data with 8 different
options to apply to the data set.
Dave
-Original Message-
From: Lord_JABA [mailto:lordj...@gmail.com]
Sent: December-13-10 5:48 PM
To: CakePHP
Subject: Why Sanitize::stripTags not working in controller index() function;
I want to get rid of div tags in data from rss just before i send it
to view.
I'm trying do this that way:
function index(){
$this-data=Sanitize::stripTags($this-data, 'div');
$this-set('gnews', $this-paginate('GoogleNews') );
}
and that way:
function index(){
Sanitize::stripTags($this-data, 'div');
$this-set('gnews', $this-paginate('GoogleNews') );
}
but I'm still getting:
(...)HTC EVO 4G/a/divdiv/divdiv(...)
from?php debug($gnews)?
What mistake I'm making??
Check out the new CakePHP Questions sitehttp://cakeqs.organd help others
with their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group
athttp://groups.google.com/group/cake-php?hl=en
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
Re: Why Sanitize::stripTags not working in controller index() function;
On Dec 14, 2010, at 09:09, euromark wrote: what you need is h() - in the view templates: ?php echo h($var); ? thats all you need to escape and secure your views. Yeah but that doesn't accomplish his stated goal: to remove the div tags that are in the RSS data he's receiving: From: Lord_JABA [mailto:lordj...@gmail.com] Sent: December-13-10 5:48 PM To: CakePHP Subject: Why Sanitize::stripTags not working in controller index() function; I want to get rid of div tags in data from rss just before i send it to view. Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Why Sanitize::stripTags not working in controller index() function;
sure^^ but based on the skill of this developer i guessed that he wanted to secure the result and thats not done by stripping tags either way his code is so bad/unclear that we cannot be sure of what he wants to achieve On 14 Dez., 22:57, Ryan Schmidt google-2...@ryandesign.com wrote: On Dec 14, 2010, at 09:09, euromark wrote: what you need is h() - in the view templates: ?php echo h($var); ? thats all you need to escape and secure your views. Yeah but that doesn't accomplish his stated goal: to remove the div tags that are in the RSS data he's receiving: From: Lord_JABA [mailto:lordj...@gmail.com] Sent: December-13-10 5:48 PM To: CakePHP Subject: Why Sanitize::stripTags not working in controller index() function; I want to get rid of div tags in data from rss just before i send it to view. Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Why Sanitize::stripTags not working in controller index() function;
I want to get rid of div tags in data from rss just before i send it
to view.
I'm trying do this that way:
function index(){
$this-data=Sanitize::stripTags($this-data, 'div');
$this-set('gnews', $this-paginate('GoogleNews') );
}
and that way:
function index(){
Sanitize::stripTags($this-data, 'div');
$this-set('gnews', $this-paginate('GoogleNews') );
}
but I'm still getting:
(...)HTC EVO 4G/a/divdiv/divdiv(...)
from?php debug($gnews)?
What mistake I'm making??
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
Re: Why Sanitize::stripTags not working in controller index() function;
Hi,
I didn't get what you are trying to achieve here. You want sanitized data in
$gnews which is paginated list but you are sanitizing $this-data.
However, Sanitize::stripTags() needs first parameter as a string and as per
your description, $this-data seems to be an array.
Amit Badkas
PHP Applications for E-Biz: http://www.sanisoft.com
On Tue, Dec 14, 2010 at 2:47 AM, Lord_JABA lordj...@gmail.com wrote:
I want to get rid of div tags in data from rss just before i send it
to view.
I'm trying do this that way:
function index(){
$this-data=Sanitize::stripTags($this-data, 'div');
$this-set('gnews', $this-paginate('GoogleNews') );
}
and that way:
function index(){
Sanitize::stripTags($this-data, 'div');
$this-set('gnews', $this-paginate('GoogleNews') );
}
but I'm still getting:
(...)HTC EVO 4G/a/divdiv/divdiv(...)
from?php debug($gnews)?
What mistake I'm making??
Check out the new CakePHP Questions site http://cakeqs.org and help others
with their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.comcake-php%2bunsubscr...@googlegroups.comFor
more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
Re: HTML Purifier or Sanitize core library
Personally I use textile, as it has more syntax elements than markdown does. The API however uses markdown, and there is a markdown parser helper in the ApiGenerator plugin if you are looking for one. -Mark On Oct 6, 1:26 pm, Loic Duros loic.du...@gmail.com wrote: Thanks for all the answers -- Mark, do you use Markdown or textile at mark-story.com to write blog posts? Just curious since it seems you have lots of HTML in there. Thanks again, Loic On Wed, Oct 6, 2010 at 1:16 PM, mark_story mark.st...@gmail.com wrote: HTML purifier is miles better than the Sanitize. I would recommend escaping and using a text processor like markdown or textile. However, if you need to accept html from the unwashed masses, use HTMLPurifier. -Mark On Oct 4, 1:02 pm, Loic Duros loic.du...@gmail.com wrote: Hello, I'm currently building a blog with CakePHP, and I would like to sanitize/filter my posts before they are displayed on screen to prevent cross-site scripting. However, I would still like to allow for a great deal of HTML markup and attributes in the HTML. I have tried using the Sanitize Core Library but, as far as I know, it doesn't allow for filtering some tags while keeping others. As a result, I'm looking into HTML Purifier ( http://htmlpurifier.org/) to do the job in my controller and/or view template files. I found the following Brita Component in the Bakery: http://bakery.cakephp.org/articles/view/brita-component-with-html-pur... I wonder however if anyone has implemented such a filtering/sanitizing solution for their site and if I'm missing something obvious I should be using to secure my site on that end. Thank you, Loic Check out the new CakePHP Questions sitehttp://cakeqs.organd help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.comcake-php%2bunsubscr...@googlegroups.c omFor more options, visit this group at http://groups.google.com/group/cake-php?hl=en -- Loic J. Duros -www.lduros.net Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: HTML Purifier or Sanitize core library
HTML purifier is miles better than the Sanitize. I would recommend escaping and using a text processor like markdown or textile. However, if you need to accept html from the unwashed masses, use HTMLPurifier. -Mark On Oct 4, 1:02 pm, Loic Duros loic.du...@gmail.com wrote: Hello, I'm currently building a blog with CakePHP, and I would like to sanitize/filter my posts before they are displayed on screen to prevent cross-site scripting. However, I would still like to allow for a great deal of HTML markup and attributes in the HTML. I have tried using the Sanitize Core Library but, as far as I know, it doesn't allow for filtering some tags while keeping others. As a result, I'm looking into HTML Purifier (http://htmlpurifier.org/) to do the job in my controller and/or view template files. I found the following Brita Component in the Bakery:http://bakery.cakephp.org/articles/view/brita-component-with-html-pur... I wonder however if anyone has implemented such a filtering/sanitizing solution for their site and if I'm missing something obvious I should be using to secure my site on that end. Thank you, Loic Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: HTML Purifier or Sanitize core library
Thanks for all the answers -- Mark, do you use Markdown or textile at mark-story.com to write blog posts? Just curious since it seems you have lots of HTML in there. Thanks again, Loic On Wed, Oct 6, 2010 at 1:16 PM, mark_story mark.st...@gmail.com wrote: HTML purifier is miles better than the Sanitize. I would recommend escaping and using a text processor like markdown or textile. However, if you need to accept html from the unwashed masses, use HTMLPurifier. -Mark On Oct 4, 1:02 pm, Loic Duros loic.du...@gmail.com wrote: Hello, I'm currently building a blog with CakePHP, and I would like to sanitize/filter my posts before they are displayed on screen to prevent cross-site scripting. However, I would still like to allow for a great deal of HTML markup and attributes in the HTML. I have tried using the Sanitize Core Library but, as far as I know, it doesn't allow for filtering some tags while keeping others. As a result, I'm looking into HTML Purifier ( http://htmlpurifier.org/) to do the job in my controller and/or view template files. I found the following Brita Component in the Bakery: http://bakery.cakephp.org/articles/view/brita-component-with-html-pur... I wonder however if anyone has implemented such a filtering/sanitizing solution for their site and if I'm missing something obvious I should be using to secure my site on that end. Thank you, Loic Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.comcake-php%2bunsubscr...@googlegroups.comFor more options, visit this group at http://groups.google.com/group/cake-php?hl=en -- Loic J. Duros - www.lduros.net Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: HTML Purifier or Sanitize core library
Hi, As I like thinking outside of the box i would recommend Textile and Markdown: http://www.elated.com/articles/textile-markdown-nice-alternatives-to-wysiwyg-editors/ Regards, Maurits On 10/04/2010 07:02 PM, Loic Duros wrote: Hello, I'm currently building a blog with CakePHP, and I would like to sanitize/filter my posts before they are displayed on screen to prevent cross-site scripting. However, I would still like to allow for a great deal of HTML markup and attributes in the HTML. I have tried using the Sanitize Core Library but, as far as I know, it doesn't allow for filtering some tags while keeping others. As a result, I'm looking into HTML Purifier (http://htmlpurifier.org/) to do the job in my controller and/or view template files. I found the following Brita Component in the Bakery: http://bakery.cakephp.org/articles/view/brita-component-with-html-purifier I wonder however if anyone has implemented such a filtering/sanitizing solution for their site and if I'm missing something obvious I should be using to secure my site on that end. Thank you, Loic Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: HTML Purifier or Sanitize core library
i like to use BBCODE (there are some wysiwyg editors for that as well) thats clean and does work really well with h() escaping - by the way it also allows the user to add lots of special tags (smileys, videos,...) out of the box (if wanted) On 5 Okt., 10:37, Maurits van der Schee maur...@vdschee.nl wrote: Hi, As I like thinking outside of the box i would recommend Textile and Markdown: http://www.elated.com/articles/textile-markdown-nice-alternatives-to-... Regards Maurits On 10/04/2010 07:02 PM, Loic Duros wrote: Hello, I'm currently building a blog with CakePHP, and I would like to sanitize/filter my posts before they are displayed on screen to prevent cross-site scripting. However, I would still like to allow for a great deal of HTML markup and attributes in the HTML. I have tried using the Sanitize Core Library but, as far as I know, it doesn't allow for filtering some tags while keeping others. As a result, I'm looking into HTML Purifier (http://htmlpurifier.org/) to do the job in my controller and/or view template files. I found the following Brita Component in the Bakery: http://bakery.cakephp.org/articles/view/brita-component-with-html-pur... I wonder however if anyone has implemented such a filtering/sanitizing solution for their site and if I'm missing something obvious I should be using to secure my site on that end. Thank you, Loic Check out the new CakePHP Questions sitehttp://cakeqs.organd help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group athttp://groups.google.com/group/cake-php?hl=en Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
HTML Purifier or Sanitize core library
Hello, I'm currently building a blog with CakePHP, and I would like to sanitize/filter my posts before they are displayed on screen to prevent cross-site scripting. However, I would still like to allow for a great deal of HTML markup and attributes in the HTML. I have tried using the Sanitize Core Library but, as far as I know, it doesn't allow for filtering some tags while keeping others. As a result, I'm looking into HTML Purifier ( http://htmlpurifier.org/) to do the job in my controller and/or view template files. I found the following Brita Component in the Bakery: http://bakery.cakephp.org/articles/view/brita-component-with-html-purifier I wonder however if anyone has implemented such a filtering/sanitizing solution for their site and if I'm missing something obvious I should be using to secure my site on that end. Thank you, Loic Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: HTML Purifier or Sanitize core library
overhead see similar posts for this matter simply use h() to make sure, xss cannot harm your site On 4 Okt., 19:02, Loic Duros loic.du...@gmail.com wrote: Hello, I'm currently building a blog with CakePHP, and I would like to sanitize/filter my posts before they are displayed on screen to prevent cross-site scripting. However, I would still like to allow for a great deal of HTML markup and attributes in the HTML. I have tried using the Sanitize Core Library but, as far as I know, it doesn't allow for filtering some tags while keeping others. As a result, I'm looking into HTML Purifier (http://htmlpurifier.org/) to do the job in my controller and/or view template files. I found the following Brita Component in the Bakery:http://bakery.cakephp.org/articles/view/brita-component-with-html-pur... I wonder however if anyone has implemented such a filtering/sanitizing solution for their site and if I'm missing something obvious I should be using to secure my site on that end. Thank you, Loic Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: HTML Purifier or Sanitize core library
Don't know about that component. We implemented behavior that repair and sanitize user HTML with HTML Purifier library before save to DB. In this case expensive purifing is done only once, on save, instead of every time, on view. On 5 окт, 00:02, Loic Duros loic.du...@gmail.com wrote: Hello, I'm currently building a blog with CakePHP, and I would like to sanitize/filter my posts before they are displayed on screen to prevent cross-site scripting. However, I would still like to allow for a great deal of HTML markup and attributes in the HTML. I have tried using the Sanitize Core Library but, as far as I know, it doesn't allow for filtering some tags while keeping others. As a result, I'm looking into HTML Purifier (http://htmlpurifier.org/) to do the job in my controller and/or view template files. I found the following Brita Component in the Bakery:http://bakery.cakephp.org/articles/view/brita-component-with-html-pur... I wonder however if anyone has implemented such a filtering/sanitizing solution for their site and if I'm missing something obvious I should be using to secure my site on that end. Thank you, Loic Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Do I need to use sanitize?
Thanks.
I'm just sending plain text emails, so that should be fine.
Sharon
On 30 Sep, 06:04, Dr. Loboto drlob...@gmail.com wrote:
I personally never user Sanitize as don't want to break user-entered
data. Instead of it I use h() to escape all text on HTML output. On
save to database also nothing needed as Cake properly escape data
itself. So if you send HTML emails you need just escape user-entered
text and that's all.
On Sep 29, 11:43 pm, WhyNotSmile sharongilmor...@gmail.com wrote:
I'm creating a website which has a few forms, and wondering whether I
need to use Sanitize for those. In each case, there are a few text
boxes which accept input from visitors; that information gets emailed
to a central address. Nothing is stored in the database.
Do I need to use sanitize for that, or is it mainly for times when the
form data is going into the database?
I also wasn't completely clear on the documentation about sanitize -
it says Cake automatically uses it for saving and reading, but does
that include 'find' functions, and do I have to include
App::import('Sanitize'); to make it work (i.e. it's automatic once
it's included)?
Thanks!
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
RE: Do I need to use sanitize?
Just jumping in here for my opinion, not advise.
I have seen this question many times, asked it myself along the way and I
guess the question asked includes the word need. And as Dr. Loboto pointed
out, you do not need to. But I would like to my 2 cents and even though you
may not need to, I personally think of many reasons to do so. For me
appearance is key, the last thing I want to see is what appears to be code
entered blocks user submitted data. I do not want someone entering ?php
echo 'hello'? as their first name and having that displayed to users.
If someone is entering crap info into forms to be a pain in my ass I make it
a pain in their ass to try to enter it and make it validate. The only reason
someone would enter code or malicious code into would be to try to cause
havoc. If they want to try to enter js snips, html blocks with inline
attributes go right ahead, I strip it all out beforeValidate(), my own made
cleaning functions for specific area of user input. If it takes someone 20
attempts to enter their first name because they wrapping it in code, using
numbers or symbols then that’s just too bad because they obviously know what
they are doing they should not be doing. I say 99% would just enter their
name as they should. For that 1% of idiots, I would rather not have them use
the site so if its hard on them well then too bad.
Others point out simply let the und users put in what ever they want and
clean out all the unwanted stuff once its pulled from the db and displayed
to the user. I ask why? Why would you want to have mass amounts of junk code
saved in the db only to clean it every time its pulled? Would it not be
better off to clean it once and then never worry about it again (until next
save).
So I guess every app has its own unique issues for this question, maybe you
do not need to like you asked in the question but for me I think even though
it may not be needed for security reasons it certainly is for aesthetic
reasons.
Dave
-Original Message-
From: WhyNotSmile [mailto:sharongilmor...@gmail.com]
Sent: September-30-10 1:10 PM
To: CakePHP
Subject: Re: Do I need to use sanitize?
Thanks.
I'm just sending plain text emails, so that should be fine.
Sharon
On 30 Sep, 06:04, Dr. Loboto drlob...@gmail.com wrote:
I personally never user Sanitize as don't want to break user-entered
data. Instead of it I use h() to escape all text on HTML output. On
save to database also nothing needed as Cake properly escape data
itself. So if you send HTML emails you need just escape user-entered
text and that's all.
On Sep 29, 11:43 pm, WhyNotSmile sharongilmor...@gmail.com wrote:
I'm creating a website which has a few forms, and wondering whether I
need to use Sanitize for those. In each case, there are a few text
boxes which accept input from visitors; that information gets emailed
to a central address. Nothing is stored in the database.
Do I need to use sanitize for that, or is it mainly for times when the
form data is going into the database?
I also wasn't completely clear on the documentation about sanitize -
it says Cake automatically uses it for saving and reading, but does
that include 'find' functions, and do I have to include
App::import('Sanitize'); to make it work (i.e. it's automatic once
it's included)?
Thanks!
Check out the new CakePHP Questions site http://cakeqs.org and help others
with their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
Re: Do I need to use sanitize?
usually do not clean if after getting it from the DB
you simply h() encode it. thats a difference.
i depends on the model data
but if were are in a Comment model and all kinds of comments got
screwed up
because the developer was too eager to sanitize every crappy post
that would piss me off as user.
so especially for aesthetic reasons you are better off leaving the
post as it is
if somebody wants to post crap, you can filter all you want, the
result will still be crap.
and it will still need to be deleted manually afterwards.
and all other posts are usally genuine and should be posted as the
poster intended to.
of course with h() to ensure nothing happens. but here we go. no
addiotional work done, no problems.
On 30 Sep., 18:06, Dave Maharaj m...@davemaharaj.com wrote:
Just jumping in here for my opinion, not advise.
I have seen this question many times, asked it myself along the way and I
guess the question asked includes the word need. And as Dr. Loboto pointed
out, you do not need to. But I would like to my 2 cents and even though you
may not need to, I personally think of many reasons to do so. For me
appearance is key, the last thing I want to see is what appears to be code
entered blocks user submitted data. I do not want someone entering ?php
echo 'hello'? as their first name and having that displayed to users.
If someone is entering crap info into forms to be a pain in my ass I make it
a pain in their ass to try to enter it and make it validate. The only reason
someone would enter code or malicious code into would be to try to cause
havoc. If they want to try to enter js snips, html blocks with inline
attributes go right ahead, I strip it all out beforeValidate(), my own made
cleaning functions for specific area of user input. If it takes someone 20
attempts to enter their first name because they wrapping it in code, using
numbers or symbols then that’s just too bad because they obviously know what
they are doing they should not be doing. I say 99% would just enter their
name as they should. For that 1% of idiots, I would rather not have them use
the site so if its hard on them well then too bad.
Others point out simply let the und users put in what ever they want and
clean out all the unwanted stuff once its pulled from the db and displayed
to the user. I ask why? Why would you want to have mass amounts of junk code
saved in the db only to clean it every time its pulled? Would it not be
better off to clean it once and then never worry about it again (until next
save).
So I guess every app has its own unique issues for this question, maybe you
do not need to like you asked in the question but for me I think even though
it may not be needed for security reasons it certainly is for aesthetic
reasons.
Dave
-Original Message-
From: WhyNotSmile [mailto:sharongilmor...@gmail.com]
Sent: September-30-10 1:10 PM
To: CakePHP
Subject: Re: Do I need to use sanitize?
Thanks.
I'm just sending plain text emails, so that should be fine.
Sharon
On 30 Sep, 06:04, Dr. Loboto drlob...@gmail.com wrote:
I personally never user Sanitize as don't want to break user-entered
data. Instead of it I use h() to escape all text on HTML output. On
save to database also nothing needed as Cake properly escape data
itself. So if you send HTML emails you need just escape user-entered
text and that's all.
On Sep 29, 11:43 pm, WhyNotSmile sharongilmor...@gmail.com wrote:
I'm creating a website which has a few forms, and wondering whether I
need to use Sanitize for those. In each case, there are a few text
boxes which accept input from visitors; that information gets emailed
to a central address. Nothing is stored in the database.
Do I need to use sanitize for that, or is it mainly for times when the
form data is going into the database?
I also wasn't completely clear on the documentation about sanitize -
it says Cake automatically uses it for saving and reading, but does
that include 'find' functions, and do I have to include
App::import('Sanitize'); to make it work (i.e. it's automatic once
it's included)?
Thanks!
Check out the new CakePHP Questions sitehttp://cakeqs.organd help others
with their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group
athttp://groups.google.com/group/cake-php?hl=en
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit
Re: Do I need to use sanitize?
I would be careful about using h() instead of htmlspecialchars() it
seems the core guys keep deprecating convenience functions such as a()
On Sep 30, 1:14 pm, euromark dereurom...@googlemail.com wrote:
usually do not clean if after getting it from the DB
you simply h() encode it. thats a difference.
i depends on the model data
but if were are in a Comment model and all kinds of comments got
screwed up
because the developer was too eager to sanitize every crappy post
that would piss me off as user.
so especially for aesthetic reasons you are better off leaving the
post as it is
if somebody wants to post crap, you can filter all you want, the
result will still be crap.
and it will still need to be deleted manually afterwards.
and all other posts are usally genuine and should be posted as the
poster intended to.
of course with h() to ensure nothing happens. but here we go. no
addiotional work done, no problems.
On 30 Sep., 18:06, Dave Maharaj m...@davemaharaj.com wrote:
Just jumping in here for my opinion, not advise.
I have seen this question many times, asked it myself along the way and I
guess the question asked includes the word need. And as Dr. Loboto pointed
out, you do not need to. But I would like to my 2 cents and even though you
may not need to, I personally think of many reasons to do so. For me
appearance is key, the last thing I want to see is what appears to be code
entered blocks user submitted data. I do not want someone entering ?php
echo 'hello'? as their first name and having that displayed to users.
If someone is entering crap info into forms to be a pain in my ass I make it
a pain in their ass to try to enter it and make it validate. The only reason
someone would enter code or malicious code into would be to try to cause
havoc. If they want to try to enter js snips, html blocks with inline
attributes go right ahead, I strip it all out beforeValidate(), my own made
cleaning functions for specific area of user input. If it takes someone 20
attempts to enter their first name because they wrapping it in code, using
numbers or symbols then that’s just too bad because they obviously know what
they are doing they should not be doing. I say 99% would just enter their
name as they should. For that 1% of idiots, I would rather not have them use
the site so if its hard on them well then too bad.
Others point out simply let the und users put in what ever they want and
clean out all the unwanted stuff once its pulled from the db and displayed
to the user. I ask why? Why would you want to have mass amounts of junk code
saved in the db only to clean it every time its pulled? Would it not be
better off to clean it once and then never worry about it again (until next
save).
So I guess every app has its own unique issues for this question, maybe you
do not need to like you asked in the question but for me I think even though
it may not be needed for security reasons it certainly is for aesthetic
reasons.
Dave
-Original Message-
From: WhyNotSmile [mailto:sharongilmor...@gmail.com]
Sent: September-30-10 1:10 PM
To: CakePHP
Subject: Re: Do I need to use sanitize?
Thanks.
I'm just sending plain text emails, so that should be fine.
Sharon
On 30 Sep, 06:04, Dr. Loboto drlob...@gmail.com wrote:
I personally never user Sanitize as don't want to break user-entered
data. Instead of it I use h() to escape all text on HTML output. On
save to database also nothing needed as Cake properly escape data
itself. So if you send HTML emails you need just escape user-entered
text and that's all.
On Sep 29, 11:43 pm, WhyNotSmile sharongilmor...@gmail.com wrote:
I'm creating a website which has a few forms, and wondering whether I
need to use Sanitize for those. In each case, there are a few text
boxes which accept input from visitors; that information gets emailed
to a central address. Nothing is stored in the database.
Do I need to use sanitize for that, or is it mainly for times when the
form data is going into the database?
I also wasn't completely clear on the documentation about sanitize -
it says Cake automatically uses it for saving and reading, but does
that include 'find' functions, and do I have to include
App::import('Sanitize'); to make it work (i.e. it's automatic once
it's included)?
Thanks!
Check out the new CakePHP Questions sitehttp://cakeqs.organdhelp others
with their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group
athttp://groups.google.com/group/cake-php?hl=en
Check out the new CakePHP Questions site http://cakeqs.org and help others
Re: Do I need to use sanitize?
this one will never be deprecated! :)
mainly because of the auto-setting of app encoding
other conv. functions simply did the same as the original function
therefore it was nonsense to use them in the first place
On 30 Sep., 19:46, j.blotus j.blo...@gmail.com wrote:
I would be careful about using h() instead of htmlspecialchars() it
seems the core guys keep deprecating convenience functions such as a()
On Sep 30, 1:14 pm, euromark dereurom...@googlemail.com wrote:
usually do not clean if after getting it from the DB
you simply h() encode it. thats a difference.
i depends on the model data
but if were are in a Comment model and all kinds of comments got
screwed up
because the developer was too eager to sanitize every crappy post
that would piss me off as user.
so especially for aesthetic reasons you are better off leaving the
post as it is
if somebody wants to post crap, you can filter all you want, the
result will still be crap.
and it will still need to be deleted manually afterwards.
and all other posts are usally genuine and should be posted as the
poster intended to.
of course with h() to ensure nothing happens. but here we go. no
addiotional work done, no problems.
On 30 Sep., 18:06, Dave Maharaj m...@davemaharaj.com wrote:
Just jumping in here for my opinion, not advise.
I have seen this question many times, asked it myself along the way and I
guess the question asked includes the word need. And as Dr. Loboto
pointed
out, you do not need to. But I would like to my 2 cents and even though
you
may not need to, I personally think of many reasons to do so. For me
appearance is key, the last thing I want to see is what appears to be code
entered blocks user submitted data. I do not want someone entering ?php
echo 'hello'? as their first name and having that displayed to users.
If someone is entering crap info into forms to be a pain in my ass I make
it
a pain in their ass to try to enter it and make it validate. The only
reason
someone would enter code or malicious code into would be to try to cause
havoc. If they want to try to enter js snips, html blocks with inline
attributes go right ahead, I strip it all out beforeValidate(), my own
made
cleaning functions for specific area of user input. If it takes someone 20
attempts to enter their first name because they wrapping it in code, using
numbers or symbols then that’s just too bad because they obviously know
what
they are doing they should not be doing. I say 99% would just enter their
name as they should. For that 1% of idiots, I would rather not have them
use
the site so if its hard on them well then too bad.
Others point out simply let the und users put in what ever they want and
clean out all the unwanted stuff once its pulled from the db and displayed
to the user. I ask why? Why would you want to have mass amounts of junk
code
saved in the db only to clean it every time its pulled? Would it not be
better off to clean it once and then never worry about it again (until
next
save).
So I guess every app has its own unique issues for this question, maybe
you
do not need to like you asked in the question but for me I think even
though
it may not be needed for security reasons it certainly is for aesthetic
reasons.
Dave
-Original Message-
From: WhyNotSmile [mailto:sharongilmor...@gmail.com]
Sent: September-30-10 1:10 PM
To: CakePHP
Subject: Re: Do I need to use sanitize?
Thanks.
I'm just sending plain text emails, so that should be fine.
Sharon
On 30 Sep, 06:04, Dr. Loboto drlob...@gmail.com wrote:
I personally never user Sanitize as don't want to break user-entered
data. Instead of it I use h() to escape all text on HTML output. On
save to database also nothing needed as Cake properly escape data
itself. So if you send HTML emails you need just escape user-entered
text and that's all.
On Sep 29, 11:43 pm, WhyNotSmile sharongilmor...@gmail.com wrote:
I'm creating a website which has a few forms, and wondering whether I
need to use Sanitize for those. In each case, there are a few text
boxes which accept input from visitors; that information gets emailed
to a central address. Nothing is stored in the database.
Do I need to use sanitize for that, or is it mainly for times when the
form data is going into the database?
I also wasn't completely clear on the documentation about sanitize -
it says Cake automatically uses it for saving and reading, but does
that include 'find' functions, and do I have to include
App::import('Sanitize'); to make it work (i.e. it's automatic once
it's included)?
Thanks!
Check out the new CakePHP Questions sitehttp://cakeqs.organdhelpothers
with their CakePHP related questions.
You received this message
Do I need to use sanitize?
I'm creating a website which has a few forms, and wondering whether I
need to use Sanitize for those. In each case, there are a few text
boxes which accept input from visitors; that information gets emailed
to a central address. Nothing is stored in the database.
Do I need to use sanitize for that, or is it mainly for times when the
form data is going into the database?
I also wasn't completely clear on the documentation about sanitize -
it says Cake automatically uses it for saving and reading, but does
that include 'find' functions, and do I have to include
App::import('Sanitize'); to make it work (i.e. it's automatic once
it's included)?
Thanks!
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
Re: Do I need to use sanitize?
I personally never user Sanitize as don't want to break user-entered
data. Instead of it I use h() to escape all text on HTML output. On
save to database also nothing needed as Cake properly escape data
itself. So if you send HTML emails you need just escape user-entered
text and that's all.
On Sep 29, 11:43 pm, WhyNotSmile sharongilmor...@gmail.com wrote:
I'm creating a website which has a few forms, and wondering whether I
need to use Sanitize for those. In each case, there are a few text
boxes which accept input from visitors; that information gets emailed
to a central address. Nothing is stored in the database.
Do I need to use sanitize for that, or is it mainly for times when the
form data is going into the database?
I also wasn't completely clear on the documentation about sanitize -
it says Cake automatically uses it for saving and reading, but does
that include 'find' functions, and do I have to include
App::import('Sanitize'); to make it work (i.e. it's automatic once
it's included)?
Thanks!
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
Re: Sanitize::clean breaking file uploads
The file uploads are working fine without Sanitize::clean(). The only
solution I see is to handle the file validation/copy logic before
executing the sanitization. I'm puzzled.
Maybe I should mention that I'm running on my local windows machine
using XAMPP. But all the php.ini upload-related variables are set...
On May 19, 8:00 pm, calvin cal...@rottenrecords.com wrote:
Were the file uploads working before you used Sanitize::clean? Because
cake doesn't handle file uploads automatically. Aside from having to
set array('type'='file') in your $form-create() statement, you also
need to move/save the uploaded file yourself.
Unless you're manually moving the file, either to a permanent upload
directory or into a database or something, the web server (and cake)
has no way of knowing what you want to do with the file. It'll just
sit in the temp directory until the script terminates, at which point
the file will be deleted.
On May 19, 3:37 am, Michele Ferri zomgs...@gmail.com wrote:
Hello.
I'm using Sanitize::clean for cleaning the $this-data arrays in the
controllers before saving them to the db.
example
if (!empty($this-data))
{
$this-data = Sanitize::clean($this-data);
[...]
}
The problem is that if a form contains a file input, the file is not
uploaded. The file array is correctly populated after the post (with
tmp_name and everything), but the physical file is not present in the
upload folder.
Is there any workaround for this?
Check out the new CakePHP Questions sitehttp://cakeqs.organdhelp others
with their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group
athttp://groups.google.com/group/cake-php?hl=en
Check out the new CakePHP Questions sitehttp://cakeqs.organd help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group
athttp://groups.google.com/group/cake-php?hl=en
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
Re: Sanitize::clean breaking file uploads
Posting my solution.
function edit($id = null)
{
[...]
if (!empty($this-data))
{
$img = $this-data['Model']['image']; // save file
upload array into a variable before sanitizing
$this-data = Sanitize::clean($this-data); // perform
sanitization
if ($this-Model-save($this-data))
{
// clean data has now been saved.
// file upload logic, using the array we saved before
if (!is_uploaded_file($img['tmp_name']))
{
[...] // etc etc
}
}
}
}
No problems encountered using this approach.
On May 20, 9:38 am, Michele Ferri zomgs...@gmail.com wrote:
The file uploads are working fine without Sanitize::clean(). The only
solution I see is to handle the file validation/copy logic before
executing the sanitization. I'm puzzled.
Maybe I should mention that I'm running on my local windows machine
using XAMPP. But all the php.ini upload-related variables are set...
On May 19, 8:00 pm, calvin cal...@rottenrecords.com wrote:
Were the file uploads working before you used Sanitize::clean? Because
cake doesn't handle file uploads automatically. Aside from having to
set array('type'='file') in your $form-create() statement, you also
need to move/save the uploaded file yourself.
Unless you're manually moving the file, either to a permanent upload
directory or into a database or something, the web server (and cake)
has no way of knowing what you want to do with the file. It'll just
sit in the temp directory until the script terminates, at which point
the file will be deleted.
On May 19, 3:37 am, Michele Ferri zomgs...@gmail.com wrote:
Hello.
I'm using Sanitize::clean for cleaning the $this-data arrays in the
controllers before saving them to the db.
example
if (!empty($this-data))
{
$this-data = Sanitize::clean($this-data);
[...]
}
The problem is that if a form contains a file input, the file is not
uploaded. The file array is correctly populated after the post (with
tmp_name and everything), but the physical file is not present in the
upload folder.
Is there any workaround for this?
Check out the new CakePHP Questions sitehttp://cakeqs.organdhelpothers
with their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group
athttp://groups.google.com/group/cake-php?hl=en
Check out the new CakePHP Questions sitehttp://cakeqs.organdhelp others
with their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group
athttp://groups.google.com/group/cake-php?hl=en
Check out the new CakePHP Questions sitehttp://cakeqs.organd help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group
athttp://groups.google.com/group/cake-php?hl=en
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
Sanitize::clean breaking file uploads
Hello.
I'm using Sanitize::clean for cleaning the $this-data arrays in the
controllers before saving them to the db.
example
if (!empty($this-data))
{
$this-data = Sanitize::clean($this-data);
[...]
}
The problem is that if a form contains a file input, the file is not
uploaded. The file array is correctly populated after the post (with
tmp_name and everything), but the physical file is not present in the
upload folder.
Is there any workaround for this?
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
Re: Sanitize::clean breaking file uploads
Were the file uploads working before you used Sanitize::clean? Because
cake doesn't handle file uploads automatically. Aside from having to
set array('type'='file') in your $form-create() statement, you also
need to move/save the uploaded file yourself.
Unless you're manually moving the file, either to a permanent upload
directory or into a database or something, the web server (and cake)
has no way of knowing what you want to do with the file. It'll just
sit in the temp directory until the script terminates, at which point
the file will be deleted.
On May 19, 3:37 am, Michele Ferri zomgs...@gmail.com wrote:
Hello.
I'm using Sanitize::clean for cleaning the $this-data arrays in the
controllers before saving them to the db.
example
if (!empty($this-data))
{
$this-data = Sanitize::clean($this-data);
[...]
}
The problem is that if a form contains a file input, the file is not
uploaded. The file array is correctly populated after the post (with
tmp_name and everything), but the physical file is not present in the
upload folder.
Is there any workaround for this?
Check out the new CakePHP Questions sitehttp://cakeqs.organd help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group
athttp://groups.google.com/group/cake-php?hl=en
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
Re: sanitize and redirect
Thanks. If I get the principle right, there are two moments where
sanitizing must take place:
- before sending parameters in custom queries
- before output in the views with h()
,n
Le Jeu 11 février 2010 19:48, anl hp a écrit :
Not you don't ... because you should not worry about that, if an id is
invalid and you want handle the situation elegant, you could do something
like this:
if (!is_numeric($id)) {
$this-setFlash('ooopss, dont do that!');
$this-redirect();
}
anl
On Thu, Feb 11, 2010 at 7:05 PM, Nicolas Maleve
nico...@constantvzw.comwrote:
Hello,
Just a doubt. It looks like Cake takes care of sanitizing data in save
and
find, ie. Do I need to sanitize $id when using
$this-redirect(array('action'='edit','id'=$id)); Or is there some
cleaning happening inside redirect?
Thanks
nicolas
*
*
*
*
*
*
*
*
*
C O N S T A N T
V Z W
Check out the new CakePHP Questions site http://cakeqs.org and help
others
with their CakePHP related questions.
You received this message because you are subscribed to the Google
Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.comcake-php%2bunsubscr...@googlegroups.comFor
more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
Check out the new CakePHP Questions site http://cakeqs.org and help others
with their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group
at http://groups.google.com/group/cake-php?hl=en
*
*
*
*
*
*
*
*
*
C O N S T A N T
V Z W
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
sanitize and redirect
Hello,
Just a doubt. It looks like Cake takes care of sanitizing data in save and
find, ie. Do I need to sanitize $id when using
$this-redirect(array('action'='edit','id'=$id)); Or is there some
cleaning happening inside redirect?
Thanks
nicolas
*
*
*
*
*
*
*
*
*
C O N S T A N T
V Z W
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
Re: sanitize and redirect
Not you don't ... because you should not worry about that, if an id is
invalid and you want handle the situation elegant, you could do something
like this:
if (!is_numeric($id)) {
$this-setFlash('ooopss, dont do that!');
$this-redirect();
}
anl
On Thu, Feb 11, 2010 at 7:05 PM, Nicolas Maleve nico...@constantvzw.comwrote:
Hello,
Just a doubt. It looks like Cake takes care of sanitizing data in save and
find, ie. Do I need to sanitize $id when using
$this-redirect(array('action'='edit','id'=$id)); Or is there some
cleaning happening inside redirect?
Thanks
nicolas
*
*
*
*
*
*
*
*
*
C O N S T A N T
V Z W
Check out the new CakePHP Questions site http://cakeqs.org and help others
with their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.comcake-php%2bunsubscr...@googlegroups.comFor
more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
Another sanitize Question
I have asked various questions about data sanitization and I came across teknoids blog post about the same subject read it here: http://teknoid.wordpress.com/2009/08/06/save-now-sanitize-later/ I did get the same answer from fellow bakers no need to sanitize, use h() and see users trying to do stuff they should not be doing. My only question is how do you track users who are attempting to add scripts or what not? If you have a site with say 2000 users making changes everyday how do you possibly monitor each edit? How do you find these users other than going thru everything daily / hourly? Just wondering how would you find such a user easily in endless list of possible users? Thanks, Dave Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: Another sanitize Question
why would you even bother trying to find that out? as long as you use h() you dont need to worry about those users they cant do anything if you still want to find that out you would need to check the post data match them against known hazard-strings but this is time-consuming and very hard to check on anyway so if i was you i'd drop this idea On 4 Jan., 19:16, Dave make.cake.b...@gmail.com wrote: I have asked various questions about data sanitization and I came across teknoids blog post about the same subject read it here:http://teknoid.wordpress.com/2009/08/06/save-now-sanitize-later/ I did get the same answer from fellow bakers no need to sanitize, use h() and see users trying to do stuff they should not be doing. My only question is how do you track users who are attempting to add scripts or what not? If you have a site with say 2000 users making changes everyday how do you possibly monitor each edit? How do you find these users other than going thru everything daily / hourly? Just wondering how would you find such a user easily in endless list of possible users? Thanks, Dave Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Re: To Sanitize or not? :: Public Opinion
you may sanitize somtimes, but you should always validate inputs (forms... urls http requests) -- You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-...@googlegroups.com. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/cake-php?hl=.
Re: To Sanitize or not? :: Public Opinion
CakePHP already makes any user input save in save functions (with the exception of updateAll). My general rule of thumb, is not to filter user input on save, but on display. This way you can see which users are trying malicious code and take action accordingly. On Nov 23, 1:12 am, robustsolution i...@robustsolution.net wrote: you may sanitize somtimes, but you should always validate inputs (forms... urls http requests) -- You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-...@googlegroups.com. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/cake-php?hl=.
To Sanitize or not? :: Public Opinion
I have asked a few questions about data sanitization and got different responses. Some people say just don't sanitize and use echo h() other say always sanitize. Books say never trust what the user enters so always clean data before saving. I know every app has different requirements but as a general rule what do you do? Just looking for feedback as to different methods for each baker. Thanks Dave -- You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-...@googlegroups.com. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/cake-php?hl=.
Re: To Sanitize or not? :: Public Opinion
On Tue, Nov 17, 2009 at 7:07 PM, Dave make.cake.b...@gmail.com wrote: I have asked a few questions about data sanitization and got different responses. Some people say just don't sanitize and use echo h() other say always sanitize. Books say never trust what the user enters so always clean data before saving. I think you said all. Never trust data from the user. I vote for always sanitize. You never know when you'll face a Bobby Tables user. http://xkcd.com/327/ Best regards. -- MARCELO DE F. ANDRADE Belem, PA, Amazonia, Brazil Linux User #221105 -- You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-...@googlegroups.com. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/cake-php?hl=.
Re: To Sanitize or not? :: Public Opinion
If you filter and validate the data before saving it to the database, then theres no need for Sanitization... unless you allow them to use HTML. On Nov 17, 3:00 pm, Marcelo Andrade mfandr...@gmail.com wrote: On Tue, Nov 17, 2009 at 7:07 PM, Dave make.cake.b...@gmail.com wrote: I have asked a few questions about data sanitization and got different responses. Some people say just don't sanitize and use echo h() other say always sanitize. Books say never trust what the user enters so always clean data before saving. I think you said all. Never trust data from the user. I vote for always sanitize. You never know when you'll face a Bobby Tables user. http://xkcd.com/327/ Best regards. -- MARCELO DE F. ANDRADE Belem, PA, Amazonia, Brazil Linux User #221105 -- You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-...@googlegroups.com. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/cake-php?hl=.
Re: To Sanitize or not? :: Public Opinion
When data is saved to DB Cake properly escape it so no problem with SQL Injection and no need to sanitize before. When data is displayed using of h() function will secure it enough. With such approach you face problems only when allow users post HTML (for example, with WYSIWYG editor). In this case nor h() nor Sanitize can save you as both of them cannot be used in such case. On Nov 18, 4:07 am, Dave make.cake.b...@gmail.com wrote: I have asked a few questions about data sanitization and got different responses. Some people say just don't sanitize and use echo h() other say always sanitize. Books say never trust what the user enters so always clean data before saving. I know every app has different requirements but as a general rule what do you do? Just looking for feedback as to different methods for each baker. Thanks Dave -- You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-...@googlegroups.com. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/cake-php?hl=.
Re: To Sanitize or not? :: Public Opinion
The big problem really is accepting input and displaying it without encoding or stripping the html. If you want to accept html, you need to strip out all javascript, intrinsic events, and even scripts hidden in styles. For the most part Cake will construct the SQL queries in a protected manner. You will also want to scan for Base64 encoded data as people are hiding their scripts in there too. Erik Nedwidek Project Manager Lighthouse I.T. Consulting, Inc. On Tue, Nov 17, 2009 at 10:57 PM, Dr. Loboto drlob...@gmail.com wrote: When data is saved to DB Cake properly escape it so no problem with SQL Injection and no need to sanitize before. When data is displayed using of h() function will secure it enough. With such approach you face problems only when allow users post HTML (for example, with WYSIWYG editor). In this case nor h() nor Sanitize can save you as both of them cannot be used in such case. On Nov 18, 4:07 am, Dave make.cake.b...@gmail.com wrote: I have asked a few questions about data sanitization and got different responses. Some people say just don't sanitize and use echo h() other say always sanitize. Books say never trust what the user enters so always clean data before saving. I know every app has different requirements but as a general rule what do you do? Just looking for feedback as to different methods for each baker. Thanks Dave -- You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-...@googlegroups.com. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.comcake-php%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/cake-php?hl=. -- You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-...@googlegroups.com. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/cake-php?hl=.
Re: Sanitize:: clean help
nice approach... euromark.
On Nov 1, 9:23 am, euromark (munich) dereurom...@googlemail.com
wrote:
way to complicated
dont sanitize it
and use h() for output (text, varchar)
that is way more handy than any other approach
On 1 Nov., 06:44, Kyle Decot kdec...@gmail.com wrote:
Try echo $form-input(description,array(value=html_entity_decode(@
$this-data[Model][description])));
On Oct 31, 5:29 pm, Dave make.cake.b...@gmail.com wrote:
Can someone help me out with this fairly simple question.
I am doing:
$clean = new Sanitize();
$this-data = $clean-clean($this-data);
Now if a user enters quotes brackets or what not it gets converted to
lt;scriptgt; which is fine for saving to the db I suppose. But when they
go back to edit the entry the input is lt;scriptgt; how can i convert it
back to what it was before? So it is readable.
I want the data to be safe for the db but also be able to be editable by
the
end user.
I tried echo $form-input(html_entity_decode('description'));but still
comes
out all mangled
Thanks
Dave
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Sanitize:: clean help
way to complicated
dont sanitize it
and use h() for output (text, varchar)
that is way more handy than any other approach
On 1 Nov., 06:44, Kyle Decot kdec...@gmail.com wrote:
Try echo $form-input(description,array(value=html_entity_decode(@
$this-data[Model][description])));
On Oct 31, 5:29 pm, Dave make.cake.b...@gmail.com wrote:
Can someone help me out with this fairly simple question.
I am doing:
$clean = new Sanitize();
$this-data = $clean-clean($this-data);
Now if a user enters quotes brackets or what not it gets converted to
lt;scriptgt; which is fine for saving to the db I suppose. But when they
go back to edit the entry the input is lt;scriptgt; how can i convert it
back to what it was before? So it is readable.
I want the data to be safe for the db but also be able to be editable by the
end user.
I tried echo $form-input(html_entity_decode('description'));but still comes
out all mangled
Thanks
Dave
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Sanitize:: clean help
Can someone help me out with this fairly simple question.
I am doing:
$clean = new Sanitize();
$this-data = $clean-clean($this-data);
Now if a user enters quotes brackets or what not it gets converted to
lt;scriptgt; which is fine for saving to the db I suppose. But when they
go back to edit the entry the input is lt;scriptgt; how can i convert it
back to what it was before? So it is readable.
I want the data to be safe for the db but also be able to be editable by the
end user.
I tried echo $form-input(html_entity_decode('description'));but still comes
out all mangled
Thanks
Dave
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Sanitize:: clean help
Try echo $form-input(description,array(value=html_entity_decode(@
$this-data[Model][description])));
On Oct 31, 5:29 pm, Dave make.cake.b...@gmail.com wrote:
Can someone help me out with this fairly simple question.
I am doing:
$clean = new Sanitize();
$this-data = $clean-clean($this-data);
Now if a user enters quotes brackets or what not it gets converted to
lt;scriptgt; which is fine for saving to the db I suppose. But when they
go back to edit the entry the input is lt;scriptgt; how can i convert it
back to what it was before? So it is readable.
I want the data to be safe for the db but also be able to be editable by the
end user.
I tried echo $form-input(html_entity_decode('description'));but still comes
out all mangled
Thanks
Dave
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Odd code in sanitize core lib?
I thought you were lying so I checked, and haha it is there. Im
curious on this as well.
On Oct 28, 8:51 pm, George H acher...@gmail.com wrote:
Hi guys,
I've been debugging my controller that is using Sanitize and I had a
peek inside the CakePHP Sanitize core lib file, where I found
something odd.
Is it possible if someone could explain to me (I'm just genuinely
curious) the reasoning behind line 223 in /cake/libs/sanitize.php
(version 1.2.5)?
$data = str_replace(', ', str_replace(!, !, $data));
From what I can tell, this line is replacing ! chars with !, and then
replacing ' chars with '. I've done some checks and the search and
replace strings are exactly the same.
As I mentioned, I am genuinely curious (probably more curious if I am
lost my marbles or not and maybe I'm seeing things), so any core devs
out there please do not see this as a personal attack on you, or your
intelligence, or ability to cut good code, etc etc.
Cheers,
-- George
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Odd code in sanitize core lib?
I am just guessing here but couldn't it be replacing looks like an
exclamation but is really far out into outfer space with a normal
exclamation?
Using a bad font and the code look different.
On Oct 29, 7:32 am, Miles J mileswjohn...@gmail.com wrote:
I thought you were lying so I checked, and haha it is there. Im
curious on this as well.
On Oct 28, 8:51 pm, George H acher...@gmail.com wrote:
Hi guys,
I've been debugging my controller that is using Sanitize and I had a
peek inside the CakePHP Sanitize core lib file, where I found
something odd.
Is it possible if someone could explain to me (I'm just genuinely
curious) the reasoning behind line 223 in /cake/libs/sanitize.php
(version 1.2.5)?
$data = str_replace(', ', str_replace(!, !, $data));
From what I can tell, this line is replacing ! chars with !, and then
replacing ' chars with '. I've done some checks and the search and
replace strings are exactly the same.
As I mentioned, I am genuinely curious (probably more curious if I am
lost my marbles or not and maybe I'm seeing things), so any core devs
out there please do not see this as a personal attack on you, or your
intelligence, or ability to cut good code, etc etc.
Cheers,
-- George
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Odd code in sanitize core lib?
I thought this was the case too (I use Consolas fwiw), so I pasted the
code into an empty text editor (TextWrangler) and did a search for
'!', and it returned two results. What font are you using to view the
code, making the search and replace strings different? As far as I can
tell, the search and replace strings are identical.
I'm guessing it's some sort of testing code that wasn't cleaned up
during the refactoring process...? I don't know.
But yeah -- this isn't a ground-breaking drop-what-you're-doing kind
of thing, just out of curiosity I was just wondering why that's there.
On Oct 29, 11:47 pm, Martin Westin martin.westin...@gmail.com wrote:
I am just guessing here but couldn't it be replacing looks like an
exclamation but is really far out into outfer space with a normal
exclamation?
Using a bad font and the code look different.
On Oct 29, 7:32 am, Miles J mileswjohn...@gmail.com wrote:
I thought you were lying so I checked, and haha it is there. Im
curious on this as well.
On Oct 28, 8:51 pm, George H acher...@gmail.com wrote:
Hi guys,
I've been debugging my controller that is using Sanitize and I had a
peek inside the CakePHP Sanitize core lib file, where I found
something odd.
Is it possible if someone could explain to me (I'm just genuinely
curious) the reasoning behind line 223 in /cake/libs/sanitize.php
(version 1.2.5)?
$data = str_replace(', ', str_replace(!, !, $data));
From what I can tell, this line is replacing ! chars with !, and then
replacing ' chars with '. I've done some checks and the search and
replace strings are exactly the same.
As I mentioned, I am genuinely curious (probably more curious if I am
lost my marbles or not and maybe I'm seeing things), so any core devs
out there please do not see this as a personal attack on you, or your
intelligence, or ability to cut good code, etc etc.
Cheers,
-- George
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Odd code in sanitize core lib?
Hi guys,
I've been debugging my controller that is using Sanitize and I had a
peek inside the CakePHP Sanitize core lib file, where I found
something odd.
Is it possible if someone could explain to me (I'm just genuinely
curious) the reasoning behind line 223 in /cake/libs/sanitize.php
(version 1.2.5)?
$data = str_replace(', ', str_replace(!, !, $data));
From what I can tell, this line is replacing ! chars with !, and then
replacing ' chars with '. I've done some checks and the search and
replace strings are exactly the same.
As I mentioned, I am genuinely curious (probably more curious if I am
lost my marbles or not and maybe I'm seeing things), so any core devs
out there please do not see this as a personal attack on you, or your
intelligence, or ability to cut good code, etc etc.
Cheers,
-- George
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Sanitize::clean on AfterFind on AppModel
Hello fellows, what do you think about putting an Sanitize::clean on the AfterFind of every Model? Wouldn't that ensure same security and a lot less code? What would be the down side? Regards... --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: sanitize and echoing in html
hi all,
forget about it:
On Aug 24, 10:18 am, ezekfred ezekf...@wanadoo.fr wrote:
Vielen danke!
I didn't knew this nl2br!
here is my way to do (with sanitize...)
?php
App::import('Sanitize');
class MyController extends AppController {
function add() {
if (!empty($this-data)) {
$this-data = Sanitize::clean($this-data);
$this-Mydata-create();
}
function edit($id = null) {
if (!empty($this-data)) {
$this-data = Sanitize::clean($this-data);
if ($this-Mydata-save($this-data)) {
}
}
}
?
and in my view template index.ctp
?php echo nl2br($result['Mydata']['field']); ?
thanks again.
On Aug 21, 5:57 pm, euromark (munich) dereurom...@googlemail.com
wrote:
always the same^^
no sanitizing neccessary
just use h($var) in the view
and for textareas
nl2br(h($var))
thats all
On 21 Aug., 16:55, ezekfred ezekf...@wanadoo.fr wrote:
Hello,
I'm having some issues with my views.
add.ctp: echo $form-input('theanswer');
view.ctp: echo $data['theanswer'];
in my database theanswer is a TEXT field
I just want to allow people make use of carriage return,
I want to display these CR in view.ctp and index.ctp
but I don't want them to write scripts like scriptalert
(EXPLETIVES!!!)/script
I've tried to sanitize::clean the input, to sanitize::html the output
but I'm unable to get an output like that:
Line1
Line2
Has anyone an idea?
thanks for your help!
euromark was right:
no sanitizing necessary: just use h($var) in the view
and for textareas: nl2br(h($var))
I've found my issue: I was using an old version of debug kit...
with the last one (1.1) everything is ok with h($myvars)
Thank you again Mister Euromark.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: sanitize and echoing in html
Vielen danke!
I didn't knew this nl2br!
here is my way to do (with sanitize...)
?php
App::import('Sanitize');
class MyController extends AppController {
function add() {
if (!empty($this-data)) {
$this-data = Sanitize::clean($this-data);
$this-Mydata-create();
}
function edit($id = null) {
if (!empty($this-data)) {
$this-data = Sanitize::clean($this-data);
if ($this-Mydata-save($this-data)) {
}
}
}
?
and in my view template index.ctp
?php echo nl2br($result['Mydata']['field']); ?
thanks again.
On Aug 21, 5:57 pm, euromark (munich) dereurom...@googlemail.com
wrote:
always the same^^
no sanitizing neccessary
just use h($var) in the view
and for textareas
nl2br(h($var))
thats all
On 21 Aug., 16:55, ezekfred ezekf...@wanadoo.fr wrote:
Hello,
I'm having some issues with my views.
add.ctp: echo $form-input('theanswer');
view.ctp: echo $data['theanswer'];
in my database theanswer is a TEXT field
I just want to allow people make use of carriage return,
I want to display these CR in view.ctp and index.ctp
but I don't want them to write scripts like scriptalert
(EXPLETIVES!!!)/script
I've tried to sanitize::clean the input, to sanitize::html the output
but I'm unable to get an output like that:
Line1
Line2
Has anyone an idea?
thanks for your help!
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
sanitize and echoing in html
Hello,
I'm having some issues with my views.
add.ctp: echo $form-input('theanswer');
view.ctp: echo $data['theanswer'];
in my database theanswer is a TEXT field
I just want to allow people make use of carriage return,
I want to display these CR in view.ctp and index.ctp
but I don't want them to write scripts like scriptalert
(EXPLETIVES!!!)/script
I've tried to sanitize::clean the input, to sanitize::html the output
but I'm unable to get an output like that:
Line1
Line2
Has anyone an idea?
thanks for your help!
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: sanitize and echoing in html
always the same^^
no sanitizing neccessary
just use h($var) in the view
and for textareas
nl2br(h($var))
thats all
On 21 Aug., 16:55, ezekfred ezekf...@wanadoo.fr wrote:
Hello,
I'm having some issues with my views.
add.ctp: echo $form-input('theanswer');
view.ctp: echo $data['theanswer'];
in my database theanswer is a TEXT field
I just want to allow people make use of carriage return,
I want to display these CR in view.ctp and index.ctp
but I don't want them to write scripts like scriptalert
(EXPLETIVES!!!)/script
I've tried to sanitize::clean the input, to sanitize::html the output
but I'm unable to get an output like that:
Line1
Line2
Has anyone an idea?
thanks for your help!
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: De-sanitize for Text Boxes
I didn't set the encoding for UTF8. Should I? Are there any other
encoding related specifications I should follow?
Thanks.
On Aug 2, 1:41 am, euromark (munich) dereurom...@googlemail.com
wrote:
just dont sanitize them in the first place
the problem must be caused by something else
usually cake escapes them automatically
is everything UTF-8? especially the db? (careful: utf8 not uft-8
here!)
On 2 Aug., 03:34, Ponch316 ponch...@gmail.com wrote:
Hi,
I'm new to CakePHP and I came across a little problem.
I created a scaffold to upload a list of schools to my database and
after uploading about 400, I noticed that some of the schools were
disappearing both from the scaffold view and the database. Since no
one else has access to my system, I realized that the only possible
reason for that is that some characters I entered, like apostrophes
('), hyphens (-), and commas (,), caused trouble in the database
somehow.
I created a new scaffold using Bake and decided use Sanitize::clean()
before saving. So far, schools are no longer disappearing, but when I
try to edit one of these, the characters are NOT displayed correctly
in the text boxes (e.g: O#039;Malley). I tried using the PHP method
htmlspecialchars_decode() (http://us.php.net/htmlspecialchars_decode)
before sending $this-data to the view but it didn't work, characters
are still showing up like that.
I was wondering if someone could help me to solve this problem. I
don't know if I'm doing something wrong, cuz I'm very surprised that
Cake has problems handling special characters, since a lot of last
names use apostrophes. If you think I should use a different approach,
please let me know as well.
Thanks in advance.
Ponch316
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: De-sanitize for Text Boxes
there are many reason for it, and almost none against it
so yes, i would advice you to do so
sanitizing is not neccessary if you make sure all your view outputs
are specialchared with
h()
like
echo h($data[Model][title]);
html-helper functions like §html-link() do that for you right away
anyway
this way you wont run in any of your current problems
mark
On 4 Aug., 01:07, Ponch316 ponch...@gmail.com wrote:
I didn't set the encoding for UTF8. Should I? Are there any other
encoding related specifications I should follow?
Thanks.
On Aug 2, 1:41 am, euromark (munich) dereurom...@googlemail.com
wrote:
just dont sanitize them in the first place
the problem must be caused by something else
usually cake escapes them automatically
is everything UTF-8? especially the db? (careful: utf8 not uft-8
here!)
On 2 Aug., 03:34, Ponch316 ponch...@gmail.com wrote:
Hi,
I'm new to CakePHP and I came across a little problem.
I created a scaffold to upload a list of schools to my database and
after uploading about 400, I noticed that some of the schools were
disappearing both from the scaffold view and the database. Since no
one else has access to my system, I realized that the only possible
reason for that is that some characters I entered, like apostrophes
('), hyphens (-), and commas (,), caused trouble in the database
somehow.
I created a new scaffold using Bake and decided use Sanitize::clean()
before saving. So far, schools are no longer disappearing, but when I
try to edit one of these, the characters are NOT displayed correctly
in the text boxes (e.g: O#039;Malley). I tried using the PHP method
htmlspecialchars_decode() (http://us.php.net/htmlspecialchars_decode)
before sending $this-data to the view but it didn't work, characters
are still showing up like that.
I was wondering if someone could help me to solve this problem. I
don't know if I'm doing something wrong, cuz I'm very surprised that
Cake has problems handling special characters, since a lot of last
names use apostrophes. If you think I should use a different approach,
please let me know as well.
Thanks in advance.
Ponch316
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: De-sanitize for Text Boxes
just dont sanitize them in the first place
the problem must be caused by something else
usually cake escapes them automatically
is everything UTF-8? especially the db? (careful: utf8 not uft-8
here!)
On 2 Aug., 03:34, Ponch316 ponch...@gmail.com wrote:
Hi,
I'm new to CakePHP and I came across a little problem.
I created a scaffold to upload a list of schools to my database and
after uploading about 400, I noticed that some of the schools were
disappearing both from the scaffold view and the database. Since no
one else has access to my system, I realized that the only possible
reason for that is that some characters I entered, like apostrophes
('), hyphens (-), and commas (,), caused trouble in the database
somehow.
I created a new scaffold using Bake and decided use Sanitize::clean()
before saving. So far, schools are no longer disappearing, but when I
try to edit one of these, the characters are NOT displayed correctly
in the text boxes (e.g: O#039;Malley). I tried using the PHP method
htmlspecialchars_decode() (http://us.php.net/htmlspecialchars_decode)
before sending $this-data to the view but it didn't work, characters
are still showing up like that.
I was wondering if someone could help me to solve this problem. I
don't know if I'm doing something wrong, cuz I'm very surprised that
Cake has problems handling special characters, since a lot of last
names use apostrophes. If you think I should use a different approach,
please let me know as well.
Thanks in advance.
Ponch316
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
De-sanitize for Text Boxes
Hi,
I'm new to CakePHP and I came across a little problem.
I created a scaffold to upload a list of schools to my database and
after uploading about 400, I noticed that some of the schools were
disappearing both from the scaffold view and the database. Since no
one else has access to my system, I realized that the only possible
reason for that is that some characters I entered, like apostrophes
('), hyphens (-), and commas (,), caused trouble in the database
somehow.
I created a new scaffold using Bake and decided use Sanitize::clean()
before saving. So far, schools are no longer disappearing, but when I
try to edit one of these, the characters are NOT displayed correctly
in the text boxes (e.g: O#039;Malley). I tried using the PHP method
htmlspecialchars_decode() (http://us.php.net/htmlspecialchars_decode)
before sending $this-data to the view but it didn't work, characters
are still showing up like that.
I was wondering if someone could help me to solve this problem. I
don't know if I'm doing something wrong, cuz I'm very surprised that
Cake has problems handling special characters, since a lot of last
names use apostrophes. If you think I should use a different approach,
please let me know as well.
Thanks in advance.
Ponch316
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Allow some html tags in Sanitize::html()
There is no way. Use PHP's strip_tags() and htmlentities() instead On Jul 28, 12:30 am, Arnau Alcázar Lleopart ar...@alcalleop.net wrote: Does anybody knows if there is any way to allow some html tags in function Sanitize::html()? Thanks in advance! --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Allow some html tags in Sanitize::html()
or the htmlpurifier library On 28 Jul., 11:47, majna majna...@gmail.com wrote: There is no way. Use PHP's strip_tags() and htmlentities() instead On Jul 28, 12:30 am, Arnau Alcázar Lleopart ar...@alcalleop.net wrote: Does anybody knows if there is any way to allow some html tags in function Sanitize::html()? Thanks in advance! --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Allow some html tags in Sanitize::html()
On Tue, Jul 28, 2009 at 3:56 PM, euromark (munich) dereurom...@googlemail.com wrote: or the htmlpurifier library Html purifier is too heavy for what I want to do, and strip_tags() is not enought secure. I'm going to user Sanitize::html() and bbcode. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Allow some html tags in Sanitize::html()
Does anybody knows if there is any way to allow some html tags in function Sanitize::html()? Thanks in advance! --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Using HtmlHelper::autolink and Sanitize::clean together
Hi all, I've run into a little trouble, which I can't seem to get myself out of: for certain user input, I want to Sanitize::html() the input when echoing in my template. So far so good, the Sanitize class does its job pretty good. Unfortunately, I really like the HtmlHelper::autolink method for this kind of input too, so people's input gets linked automatically. Is there any way of achieving this, combining the two methods? In my case, it works well, until I enter a url with characters that Sanitize::html() cleans up; unfortunately, some of these chars are valid characters for a url (like '', or '-'), and cleaning text like this renders the urls useless. For example: a url like http://www.test-test.com will get malformed to http://www.test/#45;test.com when doing a $html-autolink (Sanitize::html($url)); What's the best way to deal with this, preferably without sacrificing on CakePHP's excellent html helper or Sanitize class? Thanks, Jeroen --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Using HtmlHelper::autolink and Sanitize::clean together
Figured out a solution: using h() - cake's htmlspecialchars() wrapper - works together with autolink, whilst maintaining HtmlHelper::autolink functionality just fine. Still, if someone has any thoughts on other solutions, involving the use of the Sanitize::html method, I'd love to hear about it... --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Calling Sanitize::clean() in AppModel beforeSave()?
Has anyone done this before? Im planning on doing this because its a lot easier instead of doing it separately everywhere else. Are there any downsides to doing this? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Calling Sanitize::clean() in AppModel beforeSave()?
Well I tried it and it works, but it messes up any serialized arrays that you insert into the database. So I had to do a work around for those, but thats the only problem I ran into so far. On Jul 13, 1:41 pm, Miles J mileswjohn...@gmail.com wrote: Has anyone done this before? Im planning on doing this because its a lot easier instead of doing it separately everywhere else. Are there any downsides to doing this? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
auth login sanitize
Hari, It looks auth component does not use sanitize for cleaning the given username. Password is hashed so it should not be a problem, but as I see username is used as it is. Is it right? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Sanitize
Hi Dave,
In your model, add the Sanitize usage, then in your controller, just
save as normal. Like:
Model:
function beforeSave() {
App::import('Sanitize');
$this-data = Sanitize::paranoid( $this-data );
}
Controller:
...
if ( $this-User-save( $this-data ) ) {
// All is well with the save, it was validated, sanitized and
saved.
} else {
// Woa, failed validattion and thus not saved!
}
Enjoy,
John
On Apr 21, 9:37 pm, Dave Maharaj :: WidePixels.com
d...@widepixels.com wrote:
Would something like this work for cleaning data?
function beforeSave() {
App::import('Sanitize');
Sanitize::paranoid($this-data);
}
and then in the controller
if ($this-User-save($this-data)) {
$this-beforeSave();
}
trying to figure out a way to clean the data easier rather than adding to
the cotroller
$this-params['form']['value'] =
Sanitize::clean($this-params['form']['value'], array(' '));
Thanks,
Dave
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Sanitize
Also, there's no need to manually call beforeSave(). In fact, you were
trying to call it *after* the save() had been done.
On Wed, Apr 22, 2009 at 7:06 AM, John Andersen j.andersen...@gmail.com wrote:
Hi Dave,
In your model, add the Sanitize usage, then in your controller, just
save as normal. Like:
Model:
function beforeSave() {
App::import('Sanitize');
$this-data = Sanitize::paranoid( $this-data );
}
Controller:
...
if ( $this-User-save( $this-data ) ) {
// All is well with the save, it was validated, sanitized and
saved.
} else {
// Woa, failed validattion and thus not saved!
}
Enjoy,
John
On Apr 21, 9:37 pm, Dave Maharaj :: WidePixels.com
d...@widepixels.com wrote:
Would something like this work for cleaning data?
function beforeSave() {
App::import('Sanitize');
Sanitize::paranoid($this-data);
}
and then in the controller
if ($this-User-save($this-data)) {
$this-beforeSave();
}
trying to figure out a way to clean the data easier rather than adding to
the cotroller
$this-params['form']['value'] =
Sanitize::clean($this-params['form']['value'], array(' '));
Thanks,
Dave
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Sanitize
Would something like this work for cleaning data?
function beforeSave() {
App::import('Sanitize');
Sanitize::paranoid($this-data);
}
and then in the controller
if ($this-User-save($this-data)) {
$this-beforeSave();
}
trying to figure out a way to clean the data easier rather than adding to
the cotroller
$this-params['form']['value'] =
Sanitize::clean($this-params['form']['value'], array(' '));
Thanks,
Dave
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Sanitize Question
I want to sanitize the post before working with it or saving it to the
database.
Like this:
?php
App::import('Sanitize');
$this-data['Upload'] = Sanitize::clean($this-data['Upload']);
?
I have two questions:
1) Is this even necessary? Is this going to do anything for me or is
it already being done?
2) After I change $%$ to this lt;gt;$#37;$ with the
sanitizer; how do I get it back to $%$ in the view? Is there a
helper for this?
Any help is appreciated. There are a few other unanswered posts about
this...
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Sanitize Question
Doesn't seem like it would be necessary...
The only data that's dangerous for your DB is any sort of SQL
exploit, which you are already protected from by the core.
(i.e. the values are escaped before insertion or selection from DB).
On the other hand, you do need to make your data safe in the view...
so that one cannot add malicious javascript as part of the comments,
for example.
cake has a handy function h(), which you can use like: echo h
($someData); ... which will escape HTML chars and prevent script
injection, etc.
On Dec 19, 3:44 pm, Tim t...@gurske.com wrote:
I want to sanitize the post before working with it or saving it to the
database.
Like this:
?php
App::import('Sanitize');
$this-data['Upload'] = Sanitize::clean($this-data['Upload']);
?
I have two questions:
1) Is this even necessary? Is this going to do anything for me or is
it already being done?
2) After I change $%$ to this lt;gt;$#37;$ with the
sanitizer; how do I get it back to $%$ in the view? Is there a
helper for this?
Any help is appreciated. There are a few other unanswered posts about
this...
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Sanitize::html replacing newlines with literal \n
Sanitize::html does not call stripWhitespace(). Sanitize::html replaces special characters with html escaped characters, but I believe it leaves \n alone since the backslash does not need escaping in html. I am able to sanitize my data while retaining the new line character. The only problem I've had is that the SQL cleaner adds an extra backslash but otherwise it works fine for me. $this-data['Document']['comments'] = $this-cleaner-html( $this-data ['Document']['comments'], true ); $this-data = $this-cleaner-clean( $this-data ); $this-data['Document']['comments'] = str_replace(\\n,br/,$this- data['Document']['comments']); --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Sanitize::html replacing newlines with literal \n
@Matthew: Yes it does. I commented it out and it fixed the problem. -- View this message in context: http://n2.nabble.com/Sanitize%3A%3Ahtml-replacing-newlines-with-literal-%5Cn-tp1608411p1614924.html Sent from the CakePHP mailing list archive at Nabble.com. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Sanitize::html replacing newlines with literal \n
What version of Cake are you using? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Sanitize::html replacing newlines with literal \n
1.2 RC3 cake/libs/sanitize.php line 147 mathew-2 wrote: What version of Cake are you using? -- View this message in context: http://n2.nabble.com/Sanitize%3A%3Ahtml-replacing-newlines-with-literal-%5Cn-tp1608411p1614961.html Sent from the CakePHP mailing list archive at Nabble.com. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Sanitize::html replacing newlines with literal \n
That function is not called from Sanitize::html() --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Sanitize::html replacing newlines with literal \n
My bad. You're right. I just realized that I while I thought commenting that line out in sanitize.php did the trick, it actually worked because I'd commented out the call to Sanitize::clean() in my controller. So it's not Sanitize::html() that's the problem. Looks like I am back to square one... How can I prevent newlines being converted to literal \n? mathew-2 wrote: That function is not called from Sanitize::html() -- View this message in context: http://n2.nabble.com/Sanitize%3A%3Ahtml-replacing-newlines-with-literal-%5Cn-tp1608411p1615054.html Sent from the CakePHP mailing list archive at Nabble.com. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Sanitize::html replacing newlines with literal \n
If you read my post further up from today. I already posted the source code that resolves your problem. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Sanitize::html replacing newlines with literal \n
Thanks. Strange that your newlines were double backslashed. Your post put me
on the right track. I am using pre tags in my markup and didn't want to have
to go through all of my controllers looking for each instance of
Sanitize::clean, so I now have this as line 236 in sanitize.php:
$data = str_replace('\n', \n, $data);
mathew-2 wrote:
If you read my post further up from today. I already posted the source
code that resolves your problem.
--
View this message in context:
http://n2.nabble.com/Sanitize%3A%3Ahtml-replacing-newlines-with-literal-%5Cn-tp1608411p1615174.html
Sent from the CakePHP mailing list archive at Nabble.com.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Sanitize::html replacing newlines with literal \n
When Sanitize::html runs on data, it is changing newlines to \n. When I look at my data in MySQL, it's literally filled with \n characters. This renders both PRE and nl2br() because they're looking for newlines, not the characters \n. How can I get Sanitize::html to leave the newlines alone instead of converting to \n? Thanks! -- View this message in context: http://n2.nabble.com/Sanitize%3A%3Ahtml-replacing-newlines-with-literal-%5Cn-tp1608411p1608411.html Sent from the CakePHP mailing list archive at Nabble.com. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Sanitize::html replacing newlines with literal \n
Looking at http://api.cakephp.org/sanitize_8php-source.html#l00103 it appears that stripWhitespace() is the offending function. I'd rather not modify the Cake core, so is there another way to change this function to suit my needs? -- View this message in context: http://n2.nabble.com/Sanitize%3A%3Ahtml-replacing-newlines-with-literal-%5Cn-tp1608411p1610985.html Sent from the CakePHP mailing list archive at Nabble.com. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Sanitize, weird. Class 'App' not found.
?php
App::import('Sanitize');
class CatalogsController extends AppController
{
*Fatal error*: Class 'App' not found in *
/Volumes/Web/Www/adminpage2/app/controllers/catalogs_controller.php* on
line *2*
Its weird. I think this is the proper way of instantiating the App::import.
However, I got the error - Class 'App' not found? hehe.
Any ideas? Do I have to clear my cache again? or check the import path?
anyway, I am going to check again.
--
Louie Miranda ([EMAIL PROTECTED])
http://blog.louiemiranda.net
Security Is A Series Of Well-Defined Steps
chmod -R 0 / ; and smile :)
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Sanitize, weird. Class 'App' not found.
However,
uses('sanitize');
Works.
Louie
On Tue, Nov 18, 2008 at 4:10 PM, Louie Miranda [EMAIL PROTECTED] wrote:
?php
App::import('Sanitize');
class CatalogsController extends AppController
{
*Fatal error*: Class 'App' not found in *
/Volumes/Web/Www/adminpage2/app/controllers/catalogs_controller.php* on
line *2*
Its weird. I think this is the proper way of instantiating the App::import.
However, I got the error - Class 'App' not found? hehe.
Any ideas? Do I have to clear my cache again? or check the import path?
anyway, I am going to check again.
--
Louie Miranda ([EMAIL PROTECTED])
http://blog.louiemiranda.net
Security Is A Series Of Well-Defined Steps
chmod -R 0 / ; and smile :)
--
Louie Miranda ([EMAIL PROTECTED])
http://blog.louiemiranda.net
Security Is A Series Of Well-Defined Steps
chmod -R 0 / ; and smile :)
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Sanitize, weird. Class 'App' not found.
Hi Louie,
?php
App::import('Sanitize');
class CatalogsController extends AppController
{
*Fatal error*: Class 'App' not found in *
/Volumes/Web/Www/adminpage2/app/controllers/catalogs_controller.php* on
line *2*
Its weird. I think this is the proper way of instantiating the App::import.
However, I got the error - Class 'App' not found? hehe.
Any ideas? Do I have to clear my cache again? or check the import path?
anyway, I am going to check again.
Try App::import('Core', 'Sanitize');
Hope that helps!
--
Daniel Hofstetter
http://cakebaker.42dh.com
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Sanitize, weird. Class 'App' not found.
@Daniel
*Fatal error*: Class 'App' not found in *
That means there is not such class... so changing parameters would
make no difference.
@Louie: Are you using Cake 1.2? If yes, then it is a very old one...
If not, App::import() is for Cake 1.2
Regards,
- Dardo Sordi.
On Tue, Nov 18, 2008 at 7:33 AM, Daniel Hofstetter [EMAIL PROTECTED] wrote:
Hi Louie,
?php
App::import('Sanitize');
class CatalogsController extends AppController
{
*Fatal error*: Class 'App' not found in *
/Volumes/Web/Www/adminpage2/app/controllers/catalogs_controller.php* on
line *2*
Its weird. I think this is the proper way of instantiating the App::import.
However, I got the error - Class 'App' not found? hehe.
Any ideas? Do I have to clear my cache again? or check the import path?
anyway, I am going to check again.
Try App::import('Core', 'Sanitize');
Hope that helps!
--
Daniel Hofstetter
http://cakebaker.42dh.com
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Sanitize, weird. Class 'App' not found.
If you are using 1.1 there is no App class and as such you must use
uses()
-Mark
On Nov 18, 3:10 am, Louie Miranda [EMAIL PROTECTED] wrote:
?php
App::import('Sanitize');
class CatalogsController extends AppController
{
*Fatal error*: Class 'App' not found in *
/Volumes/Web/Www/adminpage2/app/controllers/catalogs_controller.php* on
line *2*
Its weird. I think this is the proper way of instantiating the App::import.
However, I got the error - Class 'App' not found? hehe.
Any ideas? Do I have to clear my cache again? or check the import path?
anyway, I am going to check again.
--
Louie Miranda ([EMAIL PROTECTED])http://blog.louiemiranda.net
Security Is A Series Of Well-Defined Steps
chmod -R 0 / ; and smile :)
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Sanitize, weird. Class 'App' not found.
@Dardo Sordi: Ah yes, you are right, I should have read it more thoroughly. Thanks for correcting me! -- Daniel Hofstetter http://cakebaker.42dh.com --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
undefined method Sanitize::sql()
While trying to run the IBM's Cook up Web sites fast with CakePHP tutorial, I get the following error message. Fatal error: Call to undefined method Sanitize::sql() in C:\wamp\www \tor\app\controllers\users_controller.php on line 18 Every thing works until I add the Sanitize::sql methods. I'm using the tutorial code sample to run it, using Cakephp 1.2.0.7296-rc2. Reading through the newgroup, it sounds like we no longer need to use the Sanatize method. Its done automatically for you when you save... Can anyone verify this? Should the tutorial code work anyway? Any suggestions? Thanks. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: undefined method Sanitize::sql()
Sanitize was never required to prevent sql injection as the dbo layer
handles that already by correctly escaping values. If you want to use
Sanitize make sure you App::import('Sanitize')
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Sanitize problem with writing negative numbers into db
The best part of sanitize that I found was the stripAll/stripScripts, if you want prevent things like XSS attacks. However, I'm a big fan of the HTMLPurifier that I'm already using in my app. I think for my app, I'm going to use the HTMLPurifier and create a function to loop through arrays of data, much like the Sanitize::clean, to clean up my data. Just some thoughts. Speaking of which, how does Sanitize::clean loop through an entire array? Is there some sort of method that's already built into cake that will do this? On Oct 10, 7:37 am, stefanski [EMAIL PROTECTED] wrote: Hi folks, I want to clean up user input before saving into the database, but when I Sanitize::clean($this-data) it changes negative integer values like -10 into #45;10 and I get a database (Postgres) error because - obviously - it's not an integer anymore. I want to avoid manually cleaning avery text field and wonder, what other people - like you! - do ?? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Sanitize problem with writing negative numbers into db
Cake will escape your data before saving it to the database if you are using Model::save(), your model should validate the data so it's conforming to your application input requirements and cake helpers (form/html) will escape it when displaying and you can use the h() function for outputting data that can have bad html, so: Why are you using Sanitize ? On Fri, Oct 10, 2008 at 10:37 AM, stefanski [EMAIL PROTECTED] wrote: Hi folks, I want to clean up user input before saving into the database, but when I Sanitize::clean($this-data) it changes negative integer values like -10 into #45;10 and I get a database (Postgres) error because - obviously - it's not an integer anymore. I want to avoid manually cleaning avery text field and wonder, what other people - like you! - do ?? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Sanitize problem with writing negative numbers into db
Hi folks, I want to clean up user input before saving into the database, but when I Sanitize::clean($this-data) it changes negative integer values like -10 into #45;10 and I get a database (Postgres) error because - obviously - it's not an integer anymore. I want to avoid manually cleaning avery text field and wonder, what other people - like you! - do ?? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: sanitize::html - newline problem
Hi, I don't think you are correct about that. Did you check the source code of your browser output to verify that the \n newlines had really been removed. You may find that they are still there :-) Simply use: echo nl2br($your_string) to show the newlines as breaks. HTH On Oct 5, 10:49 am, . [EMAIL PROTECTED] wrote: i am trying to use sanitize::html. my problem is that it even removes new line characters \n, which i want to keep. how would you handle this in cake? thanks --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: sanitize::html - newline problem
On Oct 5, 5:49 am, . [EMAIL PROTECTED] wrote: i am trying to use sanitize::html. my problem is that it even removes new line characters \n, which i want to keep. how would you handle this in cake? thanks HTML collapses all whitespace to a single space. Like villas said, check your source, or use a whitespace:pre; style. -Mark --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
