How to prevent utf-7 reflected xss vulnerability in php.

Using the yii1.1 framework

<code>        $req = Yii::app()->request;
        $purifier = new CHtmlPurifier();
        $purifier->options = array(
            'URI.AllowedSchemes'=>array(
                'http' => true,
                'https' => true,
            )
        );
            $url = $purifier->purify($req->getParam('url'));</code>

All parameters are filtered using purify. But there is still this loophole. Please tell me how to solve it. Is there a better solution for liberation?

Reply content:

Using the yii1.1 framework

<code>        $req = Yii::app()->request;
        $purifier = new CHtmlPurifier();
        $purifier->options = array(
            'URI.AllowedSchemes'=>array(
                'http' => true,
                'https' => true,
            )
        );
            $url = $purifier->purify($req->getParam('url'));</code>

All parameters are filtered using purify. But there is still this loophole. Please tell me how to solve it. Is there a better solution for liberation?

1 Custom method to filter common xss attack tags: script|iframe|image/Uis

2 Configuration direction to consider: Set httponly to prohibit obtaining cookies

3 Service direction: Use SSL protocol and prohibit loading of external js