On Feb 1, 1:52 pm, AD7six <[EMAIL PROTECTED]> wrote:
> On Feb 1, 6:51 am, "R.RajeshJebaAnbiah"
>
> <[EMAIL PROTECTED]> wrote:
> > On Jan 31, 5:55 pm, AD7six <[EMAIL PROTECTED]> wrote:
> > <snip>> Cake automatically escapes data in db queries - you are already
> > > protected against sql injection. xss etc is a different matter, and is
> > > an example of where sanitize fits in.
>
> > <snip>
>
> > Having checked your codes in UploadBehavior and impressed with
> > your tricks, may I know how do you handle HTML inputs? I know, cake's
> > default scaffolding add, edit interfaces handle HTML inputs; but not
> > view and index.
>
> I'm not sure what aspect of accepting html you are asking about.
>
> How to store it? html in the db
> How to avoid malicious content? Sanitize::stripScripts (or other as
> appropriate) beforeSave
> How to display it? echo $html->clean($stuff) *
<snip>
Many thanks for your input. I was talking about the following
situation:
1. Use bake script to create controller, model and views.
2. When creating controller with bake script choose no for scaffolding
and choose basic methods (index, add,..) option
3. When creating view with bake script choose scaffolding view option.
a. In the generated view page, /foo/add
Enter a HTML content, say "<script>alert('cake');</script>
b. Check the entered content with /foo/edit/id
Here the HTML content is escaped and so there is no JavaScript alert
window.
c. Check the entered content with /foo/view/id
Here the HTML content is not escaped; so getting alert window.
It is/was quite difficult to manage the form handling--need to
set validation rule in model, other stuffs in views (like classes,
etc). Some cases, the HTML content shouldn't be escaped (when admin
posts some HTML) but has to be escaped when users post it.
I'm thought of moving validation things to a new behavior code
and handling forms and user data with another helper (ref
http://groups.google.com/group/cake-php/msg/06deff28435aacb7 )
I was just wondering, how globally you control the user
content. I understand that you're taking project based approach--not
generalized approach as you've done in your UploadBehavior kit.
--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Cake
PHP" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
