README

Security

Is package to sanitize each data from middleware or it's can me use in standalone to sinitize strings.

Table of contents

1. Require
2. Installation

Require

1. Php 7.1.3 or more

Installation

Add on your composer.json

    "require": {
        "distilleries/security": "1.*",
    }

run composer update.

Publish the configuration:

php artisan vendor:publish --provider="Distilleries\Security\SecurityServiceProvider"

Configurations

    return [
       'xss_enable'=> env('SECURITY_XSS_ENABLE',true),
       'html_purifier'=> env('SECURITY_HTML_PURIFIER_ENABLE',true)
    ];

Add the Middleware on the kernel file.

    protected $middleware = [
        \Distilleries\Security\Http\Middleware\XSS::class
    ];

Standalone usage

You can use the class Security to sanitize data directly

Sinitize string

    $xss = new \Distilleries\Security\Helpers\Security();
    $xss->xss_clean('<a href="javascript:aler('test')">Click to alert</a>');

Should return Click to alert

Entity decode

This function is a replacement for html_entity_decode()

The reason we are not using `html_entity_decode() by itself is because while it is not technically correct to leave out the semicolon at the end of an entity most browsers will still interpret the entity correctly. html_entity_decode() does not convert entities without semicolons, so we are left with our own little solution here. Bummer.

    $xss = new \Distilleries\Security\Helpers\Security();
    $xss->entity_decode(<a href="javascript:alert('test')">Test</a>');

Should return Test

Sinitize file path

    $xss = new \Distilleries\Security\Helpers\Security();
    $xss->sanitize_filename('./../test.jgp',true);

Should display ./test.jpg instead of ./../test.jgp. The last parameter it's to allow or disallow relative path

    $xss = new \Distilleries\Security\Helpers\Security();
    $xss->sanitize_filename('./../test.jgp',false);

Should display test.jpg instead of ./../test.jgp.