laravelgems/escape

Basic methods to escape untrusted data before inserting into different HTML contexts

Maintainers

Details

github.com/laravelgems/escape

Homepage

Source

Issues

Installs: 11 677

Dependents: 1

Suggesters: 0

Security: 0

Stars: 0

Watchers: 2

Forks: 0

Open Issues: 0

1.0.0 2016-12-25 09:39 UTC

Requires

Requires (Dev)

MIT 6013be1da456591778ea86acb10aa7357fdcc02f

This package is not auto-updated.

Last update: 2024-04-13 17:30:12 UTC

README

Build Status

This library provides several methods that help you prevent XSS attacks on your pages.

These methods escape untrusted data properly. Just follow simple rules and you're safe.

Quick example

<div>
    <label><?= \LaravelGems\HTML::text($label) ?></label>
    <input type="text" value="<?= \LaravelGems\HTML::attr($value) ?>"/>
    <script>
        var Identifier = "<?= \LaravelGems\HTML::js($label) ?>";
    </script>
</div>
<a href="/my/page?query=<?= \LaravelGems\HTML::param($label) ?>" onclick="callMyFunction(this, '<?= \LaravelGems\HTML::js($label) ?>');">Click Me</a>

Important:

  • this library does not do any validation
  • this library does not clean invalid/dangerous code

So, please do not expect that this library will protect you from something like this:

<a href="#" onclick="UNTRUSTED DATA HERE">My Link</a>
<a href="UNTRUSTED DATA HERE">My Link</a>

Installation

Include HTML.php or install the composer package

composer require laravelgems/escape

HTML text

This methods uses htmlspecialchars with small addition (escaping forward slash too).

<div><?= \LaravelGems\HTML::text($untrustedData) ?></div>

HTML attribute

<input type="text" name="username" value="<?= \LaravelGems\HTML::attr($untrustedData) ?>"/>

Important - this is only safe for whitelist of attributes

Whitelist: align, alink, alt, bgcolor, border, cellpadding, cellspacing, class, color, cols, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight, marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan, scrolling, shape, span, summary, tabindex, title, usemap, valign, value, vlink, vspace, width

Some attributes (for example, ID) is not in a whitelist as it can be used for breaking your frontend logic by processing/watching wrong element.

Many other attributes are potentially dangerous even with properly escaped data.

CSS

<span style="property: '<?= \LaravelGems\HTML::css($untrustedData) ?>;'">text</span>

Notes:

  • value should be quoted
  • stay away from putting untrusted data into complex properties like url, behavior, and custom (-moz-binding)
  • do not put untrusted data into IE’s expression property value which allows JavaScript.

Javascript variable

<script>var username="<?= \LaravelGems\HTML::js($untrustedData) ?>";</script>
<a href="#" onclick="myClickHandler('<?= \LaravelGems\HTML::js($untrustedData) ?>')">Link</a>

URL parameter

FYI, this method is an alias to urlencode.

<a href="/profile?username=<?= \LaravelGems\HTML::param($untrustedData) ?>">Profile</a>

Warning! Never ever make something like these without validation/sanitizing

<!-- Unsafe html attributes - there no way to protect you in 100% cases without validation first -->
<embed src="<?= htmlentities("javascript:alert(1)") ?>"></embed>

<!-- Does not look safe, right? -->
<embed src="javascript:alert(1)"></embed>

More examples (wrong vs right)

<!-- WRONG WAY: htmlentities() is not enough in JS context -->
<script>var a = "<?= htmlentities($untrustedData) ?>";</script>

<!-- RIGHT WAY: use \LaravelGems\HTML::js() -->
<script>var a = "<?= \LaravelGems\HTML::js($untrustedData) ?>";</script>

Inspiration

Thanks to QWASP for their top 10 and cheat sheets. Thanks to Twig library for their filters.