laravelgems/blade-escape

Custom blade directives to figth against XSS

Maintainers

Details

github.com/laravelgems/blade-escape

Source

Issues

Installs: 11 259

Dependents: 0

Suggesters: 0

Security: 0

Stars: 13

Watchers: 4

Forks: 4

Open Issues: 0

1.0.0 2016-12-25 13:34 UTC

Requires

MIT ae404651cdfa85ce085dabc32e6e00bf4756bccd

  • Leonid Shumakov <leonid.shumakov.woop@laragems.com>

This package is not auto-updated.

Last update: 2024-11-23 20:59:06 UTC

README

Blade Escape is a service provider that extends Blade directives and allows use Laragems\Escape library.

<div style="background-color: @css($color);">
    <label>@text($label)</label>
    <input type="text" name="custom" value="@attr($value)"/>
</div>
<a href="/profile?u=@param($username)">Profile</a>
<button onclick="callMyFunction('@js($username)');">Validate</button>
<script>
    var username = "@js($username)";
</script>

Installation

composer require laravelgems/blade-escape

After that add service provider to a config\app.php

        /*
         * Package Service Providers...
         */
         ...
         LaravelGems\BladeEscape\Providers\BladeEscapeServiceProvider::class,
         ...

HTML - @text($variable), safe

<p>@text($resume)</p>
<div>@text($bio)</div>

HTML Attribute - @attr(@variable), safe when following rules

Attribute's value should be quoted. For usage with whitelist attributes: align, alink, alt, bgcolor, border, cellpadding, cellspacing, class, color, cols, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight, marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan, scrolling, shape, span, summary, tabindex, title, usemap, valign, value, vlink, vspace, width

<input type="text" value="@attr($variable)"/>
<img src="image.png" alt="@attr($variable)"/>

URL Parameter - @param($variable), safe

<a href="search?keyword=@param($variable)">Click Me</a>

Javascript Parameter - @js($variable), safe when following rules

Value should be quoted. Avoid using dangerous functions (eval and so on), example - setTimeout("@js($variable)") (can be hacked!)

<script>
    var username = "@js($variable)";
</script>
<a href="#" onclick="displayDialog('@js($title)');">Click</a>

CSS - @css($variable), safe when following rules

Surrounded by quotes. Avoid complex properties like url, behavior and custom (-moz-binding). Do not put untrusted data into IE's expression property value

<style>
    .article { background-color: '@css($color)';}
</style>
<span style="width: '@css($width)';"></span>

Must Read: QWASP - XSS Prevention Cheat Sheet

You don't like the names of directives. Ok, just change them in a published config.