Hi,
With regards to SQL injection and XSS prevention techniques I was wondering if its possible to bind a html string as a parameter when saving to a model.
This is my code:
public function myAction($pageId){
$pageId = $this->filter->sanitize($pageId, 'int');
$pageLookup = Page::findFirst(
"id = " . $pageId
);
if ($this->request->isPost()) {
$purifier = new \HTMLPurifier();
$editorData = $this->request->getPost("editPageEditor" );
$cleanedEditorData = $purifier->purify($editorData);
$pageLookup->content = $cleanedEditorData;
$pageLookup->save();
}
$this->view->page = $pageLookup;
}
These are the steps I have so used far:
- First on lookup I sanitize the parameter to ensure the page id is an int.
- The view uses ckeditor to produce some html which is then passed back to the controller on submit.
- With the help of html purfifer I clean the html string.
- I then update the content property of the page model with the cleaned string.
- And commit any changes.
I know I can do something similar to this but this strips out all html at this point: $this->request->getPost("editPageEditor","string" );
Is there anything I can do to retain the cleaned html string when binding or this step more than is required?