Yii2 : How to validate XSS (Cross Site Scripting) in form / model input?

Question

Yii2 has support for XSS(cross-site-scripting ) validation of displayed data using the helper class\yii\helpers\HtmlPurifier, however this only validates and cleans up output code like this

echo HtmlPurifier::process($html);

How to validate input for XSS of input such that this data is not stored in the database itself ?

Answer 1

This can be done using a filterValidator by calling the process as named callable function of validation like this

class MytableModel extends ActiveRecord {
   ....
   public function rules(){
        $rules = [
           [['field1','field2'],'filter','filter'=>'\yii\helpers\HtmlPurifier::process']
        ];
        return array_merge(parent::rules(),$rules);
    }
   ....
}

Where field1, field2 etc are the inputs fields to be validated, the same applies for Form Model validations as well