|
|
|
马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。
您需要 登录 才可以下载或查看,没有账号?立即注册
x
Yii框架中使用CHtmlPurifier过滤文本内容防止XSS攻击
1、在控制器中使用:- public function actionCreate()
- {
- $model=new News;
- $purifier = new CHtmlPurifier();
- $purifier->options = array(
- 'URI.AllowedSchemes'=>array(
- 'http' => true,
- 'https' => true,
- ),
- 'HTML.Allowed'=>'div',
- );
- if(isset($_POST['News']))
- {
- $model->attributes=$_POST['News'];
- $model->attributes['content'] = $purifier->purify($model->attributes['content']);
- if($model->save())
- $this->redirect(array('view','id'=>$model->id));
- }
- }
- protected function beforeSave()
- {
- $purifier = new CHtmlPurifier();
- $purifier->options = array(
- 'URI.AllowedSchemes'=>array(
- 'http' => true,
- 'https' => true,
- ),
- 'HTML.Allowed'=>'div',
- );
- if(parent::beforeSave()){
- if($this->isNewRecord){
- $this->create_data = date('y-m-d H:m:s');
- $this->content = $purifier->purify($this->content);
- }
- return true;
- }else{
- return false;
- }
- }
- public function filters()
- {
- return array(
- 'accessControl', // perform access control for CRUD operations
- 'postOnly + delete', // we only allow deletion via POST request
- 'purifier + create', //载入插入页面时进行些过滤操作
- );
- }
- public function filterPurifier($filterChain){
- $purifier = new CHtmlPurifier();
- $purifier->options = array(
- 'URI.AllowedSchemes'=>array(
- 'http' => true,
- 'https' => true,
- ),
- 'HTML.Allowed'=>'div',
- );
- if(isset($_POST['news']){
- $_POST['news']['content'] = $purify($_POST['news']['content']);
- }
- $filterChain->run();
- }
- <?php $this->beginWidget('CHtmlPurifier'); ?>
- ...显示用户输入的内容在这里....
- <?php $this->endWidget(); ?>
|
|
发表于 2015-1-19 21:33:57
