Reputation: 1359
CakePHP form validation against javascript code
I am developing a cakephp (2.5.6) application where user can entry comments, blog posts and more. The users can use html markup (h1, h2.., quote, ..).
How can i add security to the form inputs so a user can not add javascript code like <script>alert('foo');</script> or anything else.
I have tested it with a simple $this->Form->input('description');. Now if i display the description with echo $data['Post']['description'] the alert is displayed on page refresh.
What is the common way to prevent this? Does cakephp provide any helpers or functions?
Upvotes: 0
Views: 733
Answers (1)
Reputation: 25698
Well, you should push all output on a webpage through h() which is the Cake shortcut for htmlspecialchars. Even output you've fetched from an API or a hardware sensor. Who tells you they can't give you malicious data? Most fundamental security rule: Don't trust any data input in your system.
If you need a more detailed sanitizer HTML Purifier which is a lib and CakePHP plugin for it that allows you to come up with specific filtering. For example disallow <script> but allow <b> and <a>. It can even filter allowed HTML attributes. Read the documentation.
Upvotes: 1
Related Questions
- cakephp validation view issue?
- javascript validation in cakephp says field which isn't required isn't valid
- Performing validations for the form
- Form Validation using JavaScript and html
- How do I validate my html form controls using javascript in cakephp?
- Server side validation using JQuery validator (Cakephp)
- form validation in cakephp
- form validation using javascript in codeigniter
- Validate data from CakePHP form with jQuery (AJAX)
- Adding validations via submit button