I have the following example of what a user might type into a field for a post name:

<h1><span>They're awesome people</span></h1>

Now because this is a post title I want to remove all that HTML completely before saving it to the database. This is because for a) security reasons and b) if I export this as JSON I don’t want to be cleaning up HTML on output for 3rd party users.

I have tried the following in my model:

public function beforeSave() {

        if (isset($this->data[$this->alias]['title']))
        {
            //$this->data[$this->alias]['title'] = Sanitize::clean($this->data[$this->alias]['title'], array('encode'=>true,'remove_html'=>true));

            $this->data[$this->alias]['title'] = html_entity_decode(Sanitize::html($this->data[$this->alias]['title'], array('remove'=>true)));
        }
        return true;

    }

As you can see I have tried both Clean and HTML from the Sanitize class to clean out the HTML but both cause a problem in that they escape the quote from they're making it like '. I have tried using the html_entity_decode around the sanitize to clean this up but it still happens. Any ideas on how to do this?

If I do this though:

echo html_entity_decode('They're awesome people');

it works fine so the function is fine, it’s a problem with using it in conjunction with the sanitize class in CakePHP.

Thanks