Security Is An Anti-XSS Wrapper For Laravel


Laravel Security

Laravel Security was created by, and is maintained by Graham Campbell, and is a voku/anti-xss wrapper for Laravel, using graham-campbell/security-core. Feel free to check out the change log, releases, security policy, license, code of conduct, and contribution guidelines.


Build Status StyleCI Status Software License Packagist Downloads Latest Version


This version requires PHP 8.0-8.3 and supports Laravel 9-11.

Security L5.5 L5.6 L5.7 L5.8 L6 L7 L8 L9 L10 L11

To get the latest version, simply require the project using Composer:

$ composer require "graham-campbell/security:^11.2"

Once installed, if you are not using automatic package discovery, then you need to register the GrahamCampbell\Security\SecurityServiceProvider service provider in your config/app.php.

You can also optionally alias our facade:

        'Security' => GrahamCampbell\Security\Facades\Security::class,


Laravel Security supports optional configuration.

To get started, you'll need to publish all vendor assets:

$ php artisan vendor:publish

This will create a config/security.php file in your app that you can modify to set your configuration. Also, make sure you check for changes to the original config file in this package between releases.

There are two config options:

Evil configuration

This option ('evil') defines the evil attributes and tags, which will always be stripped from the input.

Replacement string

This option ('replacement') defines the replacement string, which will be used to take the place of removed portions of strings where XSS was present.



This is the class of most interest. It is bound to the ioc container as 'security' and can be accessed using the Facades\Security facade. There is one public method of interest.

The 'clean' method will parse a string removing XSS vulnerabilities, on a best effort basis.


This facade will dynamically pass static method calls to the 'security' object in the ioc container which by default is the Security class.


This class contains no public methods of interest. This class should be added to the providers array in config/app.php. This class will setup ioc bindings.

Further Information

You may see an example of implementation in Laravel Binput.


If you discover a security vulnerability within this package, please send an email to All security vulnerabilities will be promptly addressed. You may view our full security policy here.


Laravel Security is licensed under The MIT License (MIT).

For Enterprise

Available as part of the Tidelift Subscription

The maintainers of graham-campbell/security and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open source dependencies you use to build your applications. Save time, reduce risk, and improve code health, while paying the maintainers of the exact dependencies you use. Learn more.