How do I automate data sanitization of linked models in CakePHP

Question

In order to have best up to date protection for users against XSS attacks the data should rather be sanitized when displayed to users rather than at the moment of db insert, if I got this at all correct. So my question is can I automate data sanitization in CakePHP so that the linked models automatically retrieved by Cakes queries are sanitized at point of queries as well? Or should I always manually loop calls for all the linked models' sanitization methods?

Answer 1

All output that is not passed through one of the core helpers or foreign helpers that are known to take care of it should be passed through the h() method in the views.

echo h($model['Model']['name']);

If you want to do it in the model the Model::afterFind() callback is the right place to modify the data. But I would not recommend to sanitize everything there because there are cases like editing the data or exposing the same data to an API or as JSON that might require no or a different sanitization.

See HtmlPurifier and HtmlPurifier for CakePHP as well. It is a strong filter and sanitation lib.

Answer 2

In your views, just use

<?php echo h($data['Model']['field']); ?>

h is a wrapper for htmlspecialchars().