locknet.ro

archive

Medick, no HTML filtering

With the help of Creole, medick will try to escape everything that will go to the database using PreparedStatements.

I’ve decided that Medick should not take care about filtering any HTML input that commes as request parameter or from web forms. It means that the HTML will be taken as it is.

If some will input nasty html tags:

<script>alert('foo');</script>

well, you will end up with a javascript alert message on you screen.

I think this is a nice feature to medick, since I don’t want to change from the framework any data that your application receives.

You can use some php functions for that in your models. Just hook the calls in your model before_* filters.

A short example:


class Article extends ActiveRecord {

protected function before_save() { $this→title= htmlentities($this→title); } [….]

}