Home/ Questions/Q 6189415
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-24T02:24:41+00:00

One of the things I like with cakePhp, is that we can easily have

  • 0

One of the things I like with cakePhp, is that we can easily have a generated edited form which allows us to save.

E.g. in a controller:

function add() {
        if (!empty($this->data)) {
            $this->Post->create();
            if ($this->Post->save($this->data)) {
                $this->Session->setFlash(__('The post has been saved', true));
                $this->redirect(array('action' => 'index'));
            } else {
                $this->Session->setFlash(__('The post could not be saved. Please, try again.', true));
            }
        }
        $users = $this->Post->User->find('list');
        $this->set(compact('users'));
    }

The problem with that is that our fields are vulnerable to XSS (Cross site scripting). I’m aware of the “Sanitize::Clean” way, but I’ve a problem with that: it’s mean that we have to do this on all fields before with save the object. And what if once we add one field? We should go on all our code to check that we sanitize it?? Is there any way to say “Sanitize this object before save it”, without specifing any fields?

Thank you!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You can look at beforeSave() method for models

    http://book.cakephp.org/view/1052/beforeSave

    the data submitted is available in $this->data[$this->alias] array, so you could

    foreach($this->data[$this->alias] as $k => $v) {
   $this->data[$this->alias][$k] = Sanitize::clean($v);
}

    Usually you want to store whatever submitted by the user in the database and only sanitize it when you need to display it, that way you still preserve the original HTML content (if it indeed is intended to be an HTML input (for instance: blog post)).

    If you want to Sanitize before displaying, you could do it using afterFind() so you don’t have to call Sanitize everytime.

    http://book.cakephp.org/view/1050/afterFind

    function afterFind($results, $primary) {
   $toSanitize = array('field1', 'field2', 'field4');
   if(!empty($results[0])) {
      foreach($results as $i => $res) {
         foreach($toSanitize as $ts) {
            if(!empty($res[$this->alias][$ts])) 
               $results[$i][$this->alias][$ts] = Sanitize::clean($res[$this->alias][$ts]);
            }
         }
      }
   } else {

     foreach($toSanitize as $ts) {
        if(!empty($results[$ts])) 
           $results[$ts] = Sanitize::clean($results[$ts]);
        }
     }
   }

   return $results;
}
    • 0