laravel-at/laravel-image-sanitize

A small but handy package to prevent malicious code execution coming into your application through uploaded image files.

Maintainers

Package info

github.com/laravel-at/laravel-image-sanitize

pkg:composer/laravel-at/laravel-image-sanitize

Statistics

Installs: 66 469

Dependents: 0

Suggesters: 0

Stars: 337

Open Issues: 0

Security

Advisories: 0

Aikido package health analysis

v5.0.0 2026-06-10 18:02 UTC

Requires

Requires (Dev)

MIT 95ae5979b720bde8098822b79b9e2368af716d34

imagelaravel-image-sanitize

This package is auto-updated.

Last update: 2026-06-29 07:21:08 UTC

README

Laravel Image Sanitize logo

It prevents malicious code execution!

Latest Version on Packagist GitHub Tests Action Status Total Downloads

This is a small but handy package to prevent malicious code execution coming into your application through uploaded images. It was created after being inspired by @appelsiini's talk on How to Hack your Laravel Application

Installation

This version requires PHP 8.3+, Laravel 12 or 13, and Intervention Image 4.

You can install the package via composer:

composer require laravel-at/laravel-image-sanitize

Usage

Apply the middleware to routes that receive image uploads:

use App\Http\Controllers\FileController;
use LaravelAt\ImageSanitize\ImageSanitizeMiddleware;

Route::post('/files', [FileController::class, 'upload'])
    ->name('file.upload')
    ->middleware(ImageSanitizeMiddleware::class);

If you prefer a middleware alias, register it in your application's bootstrap/app.php file:

use Illuminate\Foundation\Configuration\Middleware;
use LaravelAt\ImageSanitize\ImageSanitizeMiddleware;

->withMiddleware(function (Middleware $middleware): void {
    $middleware->alias([
        'image-sanitize' => ImageSanitizeMiddleware::class,
    ]);
})

Then use the alias on your upload routes:

Route::post('/files', [FileController::class, 'upload'])
    ->name('file.upload')
    ->middleware('image-sanitize');

If you want to learn more about middlewares, please check out the official Laravel documentation.

Configuration

You may publish the configuration file:

php artisan vendor:publish --tag=image-sanitize-config

The default configuration scans JPEG, PNG, GIF, BMP, and WebP uploads for suspicious byte patterns, then re-encodes matching images through Intervention Image. SVG files are not supported by default.

return [
    'allowed_mime_types' => [
        'image/jpeg',
        'image/png',
        'image/gif',
        'image/bmp',
        'image/webp',
    ],

    'patterns' => [
        '<?php',
        'phar',
    ],

    'driver' => \Intervention\Image\Drivers\Gd\Driver::class,
    'quality' => 100,
    'auto_orientation' => true,
    'decode_animation' => true,
    'strip_metadata' => true,
];

You can also use the facade directly:

if (ImageSanitize::detect($contents)) {
    $contents = (string) ImageSanitize::sanitize($contents);
}

Testing

composer test

Run the full local quality check:

composer check

Or run the individual checks:

composer format-test
composer analyse
composer test

Changelog

Please see CHANGELOG for more information on what has changed recently.

Contributing

Please see CONTRIBUTING for details.

Security

If you discover any security related issues, please email adrian@nuernberger.me instead of using the issue tracker.

Credits

License

The MIT License (MIT). Please see License File for more information.