首页 > PHP开发 > Yii1 > Yii框架中使用CHtmlPurifier过滤文本内容防止XSS攻击
2015
01-27

Yii框架中使用CHtmlPurifier过滤文本内容防止XSS攻击

1、在控制器中使用:

public function actionCreate()
{
    $model=new News;

    $purifier = new CHtmlPurifier();
    $purifier->options = array(
        'URI.AllowedSchemes'=>array(
            'http' => true,
            'https' => true,
        ),
        'HTML.Allowed'=>'div',
    );

    if(isset($_POST['News']))
    {
        $model->attributes=$_POST['News'];
        $model->attributes['content'] = $purifier->purify($model->attributes['content']);
        if($model->save())
            $this->redirect(array('view','id'=>$model->id));
    }
}

2、在模型中的使用:

protected function beforeSave()
{
    $purifier = new CHtmlPurifier();
    $purifier->options = array(
        'URI.AllowedSchemes'=>array(
            'http' => true,
            'https' => true,
        ),
        'HTML.Allowed'=>'div',
    );

    if(parent::beforeSave()){
        if($this->isNewRecord){
            $this->create_data = date('y-m-d H:m:s');
            $this->content = $purifier->purify($this->content);
        }
        return true;
    }else{
        return false;
    }
}

3、在过滤器中的使用:

public function filters()
{
    return array(
        'accessControl', // perform access control for CRUD operations
        'postOnly + delete', // we only allow deletion via POST request
        'purifier + create', //载入插入页面时进行些过滤操作
    );
}

public function filterPurifier($filterChain){
    $purifier = new CHtmlPurifier();
    $purifier->options = array(
        'URI.AllowedSchemes'=>array(
            'http' => true,
            'https' => true,
        ),
        'HTML.Allowed'=>'div',
    );
    if(isset($_POST['news']){
        $_POST['news']['content'] = $purify($_POST['news']['content']);
    }
    $filterChain->run();
}

4、在视图中的使用:

<?php $this->beginWidget('CHtmlPurifier'); ?>
    ...display user-entered content here...
<?php $this->endWidget(); ?>

代码技巧