stackoom
  简体   繁体   中英

How to filter html from form data in Silex

 原文  2012-09-26 11:44:47       php/ symfony/ escaping/ silex

Question

I'm pretty new to Silex and Symfony and I'm trying to create a form with the symfony Form component. That's working fine, but whet it comes to validation/sanitization I'm not sure how to do it.

Of course I know the $app->escape($data) method, but it doesn't seem to fit my needs.

I'd like to escape html tags from the submitted data before I call the $form->isValid() method. I don't want to invalidate texts with html tags, only escape/remove them from the text then validate the gained values.

So basically I want to give the escaped values to the form instead of the originals or use.

My problem is that I'd like to show the error messages only if the submitted text is empty after removing the html tags.

I thought about to write a custom constraint - as I didn't find anything about html validation in the package - but in that case I had to filter/escape two times, first in the validation then before saving the data.

I'd like to achieve something like this: 

if ($request->getMethod() == 'POST') {            
  $comment = $request->get('comment');
  if($comment) {
    foreach($comment as &$value) {
      $value = $app->escape($value);
    }

    $cleared = new Request(array(), array('comment' => $comment));

    $form->bindRequest($cleared);
    if ($form->isValid()) {
      var_dump($form->getData());
    }
  }
}

Thanks.

2 answers

solution1
 3 ACCPTED  2012-10-06 23:41:39

$app->escape() is just a shortcut for htmlspecialchars() , you have to use strip_tags() function to remove html tags.

My problem is that I'd like to show the error messages only if the submitted text is empty after removing the html tags. 

$form->get('FILED_NAME')->addError(new Form\FormError('ERROR'));

for example : 

if ($request->getMethod() == 'POST') {            
  $comment = $request->get('comment');
  if($comment) {
    $emptyCM = false;
    foreach($comment as &$value) {
      $value = strip_tags($value);
      if (empty($value)) $emptyCM = true;
    }
    if ($emptyCM) 
      $form->get('comment')->addError(new Form\FormError('my custom error message'));

    $cleared = new Request(array(), array('comment' => $comment));

    $form->bindRequest($cleared);
    if ($form->isValid()) {
      var_dump($form->getData());
    }
  }
}

solution2
 0  2017-01-23 09:54:09

If you want to pre-sanitize your all your data before it goes into the form, you can use a before filter, either for all routes or for specific routes.

The following example strips all tags from string parameters from GET and POST. If your parameters are arrays (like in your initial example), you'd need to add another if branch. If your parameters are deeply nested, you need a recursive function for filtering. 

$app->before( function( Request $request ) {
    foreach ( [ $request->request, $request->query ] as $parameterBag ) {
        foreach ( $parameterBag->keys() as $key ) {
            if ( is_string( $parameterBag->get( $key ) ) ) {
                $parameterBag->set( $key, strip_tags( $parameterBag->get( $key ) ) );
            }
        }
    }
}, Application::EARLY_EVENT );

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Symfony/Silex populate form with data from database Silex: How to create a loop in Form How to receive JSON data from silex controller in AJAX How to get data from intermediate table in eloquent, silex how to filter who sends data from html file containing a form sent via post to a php file silex passing form data to another page? how to filter data from html table Inserting into a database from a form (Silex, postgreSQL,PHP) How to use $_POST or $_GET to filter data based on an HTML form Silex/Twig : Conflict between a custom filter and form widget
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM