php - CakePhp: Avoid XSS attack keeping the ease of use of cake -

-

one of things cakephp, can have generated edited form allows save.

e.g. in controller:

function add() {         if (!empty($this->data)) {             $this->post->create();             if ($this->post->save($this->data)) {                 $this->session->setflash(__('the post has been saved', true));                 $this->redirect(array('action' => 'index'));             } else {                 $this->session->setflash(__('the post not saved. please, try again.', true));             }         }         $users = $this->post->user->find('list');         $this->set(compact('users'));     }

the problem our fields vulnerable xss (cross site scripting). i'm aware of "sanitize::clean" way, i've problem that: it's mean have on fields before save object. , if once add 1 field? should go on our code check sanitize it?? there way "sanitize object before save it", without specifing fields?

thank you!

you can @ beforesave() method models

http://book.cakephp.org/view/1052/beforesave

the data submitted available in $this->data[$this->alias] array, could

foreach($this->data[$this->alias] $k => $v) {    $this->data[$this->alias][$k] = sanitize::clean($v); }

usually want store whatever submitted user in database , sanitize when need display it, way still preserve original html content (if indeed intended html input (for instance: blog post)).

if want sanitize before displaying, using afterfind() don't have call sanitize everytime.

http://book.cakephp.org/view/1050/afterfind

function afterfind($results, $primary) {    $tosanitize = array('field1', 'field2', 'field4');    if(!empty($results[0])) {       foreach($results $i => $res) {          foreach($tosanitize $ts) {             if(!empty($res[$this->alias][$ts]))                 $results[$i][$this->alias][$ts] = sanitize::clean($res[$this->alias][$ts]);             }          }       }    } else {       foreach($tosanitize $ts) {         if(!empty($results[$ts]))             $results[$ts] = sanitize::clean($results[$ts]);         }      }    }     return $results; }

Comments

Post a Comment

Popular posts from this blog

c# - How to set Z index when using WPF DrawingContext? -

-
how set z-index drawing object when using drawingcontext.drawxxx() methods? the object drawn last have higher z index. can't change index of drawn objects. way draw in order. if using wpf (as placed tag), can use, example, canvas control. create shapes need like polyline obj = new polyline(); //... // ... set properties of obj and add them canvas uielementcollection: yourcanvasname.children.add(obj); //or yourcanvasname.children.insert(i, obj); first items of collection have higher z index. advantages in way: no need redraw on window changes, can anytime move objects , change order.
Read more

razor - Is this a bug in WebMatrix PageData? -

-
i think may have found bug in webmatrix's pagedata, not sure. concerns how pass data partial page calling page. in webmatrix documentation (tutorials, e.g. " 3 - creating consistent look ", , example code), pagedata recommended mechanism pass data between pages (e.g. content page layout page, or partial page). however have found not work other way, pass data partial page calling page. modifying or adding entries in pagedata in partial page, not seem calling page. cutting right down simplest possible example, in test page may have this: @{ pagedata["test"] = "initial entry"; } <p>before calling partial page, test value @pagedata["test"]</p> @renderpage("_testpartial.cshtml") <p>after returning calling page, test value @pagedata["test"]</p> and in _testpartial.cshtml page might have this: @{ pagedata["test"] = "modified entry"; } <p>in partial page...
Read more

android - layout with fragment and framelayout replaced by another fragment and framelayout -

-
edit: so after comments below, revisted , realized hanging me up. imagine client list , client details activity started : public class clientsmainactivity extends fragmentactivity { @override public void oncreate(bundle savedinstancestate) { super.oncreate(savedinstancestate); //studiotabopenhelper db; setcontentview(r.layout.main_client_activity); } } so works great, starts main_client_activity (defined in layout below, , call activity when button on main screen clicked): intent intent = new intent(getactivity(), clientsmainactivity.class); startactivity(intent); easy issue is, clientsmainactivity not call oncreateview or anything, sets layout layout defines fragment, , listfragment. fine cause not trying pass clientsmainactivity , if have hypothetical activity like: sessionmainsactivity called when click on session edit of client, not calling sessionsmainactivity same way (starts activity sets alayout), want layout set defines...
Read more