When working with my models in Yii a tried to inject a javascript in a text area, a simple alert. And the alert popped up when I went to browse the content of my model.

Hopefully, we can prevent javascript injection, and more by using a php library called HTMLPurifier.

Yii does include this library as a widget that you can use inside your model’s validation rules.

Here goes the codeĀ  I used (taken from the Yii documentation):

array('your_text_field','filter','filter'=>array($obj=new CHtmlPurifier(),'purify')),

All html and scripts will be removed (if between the <script> tag).

If you use

&gt; &lt; // as delimiter of your tags

the content will not be evaluated but just stored.

Yep, that’s the beauty of using a kick ass framework as Yii !

For the Java/Jsp lovers there seems to be an equivalent (which I haven’t evaluated) :