Filter user input for XSS but don't touch other html

v1.5.1 2022-03-15 13:56 UTC

This package is auto-updated.

Last update: 2022-11-25 15:20:22 UTC



Latest Stable Version Total Downloads Build Status License


Laravel XSS Filter

Configure once and forget about XSS attacks!

Laravel 5.4+ Middleware to filter user inputs from XSS and iframes and other embed elements.

It does not remove the html, it is only escaped script tags and embeds.

However, by default, it does delete inline event listeners such as onclick. Optionally they also can be escaped (set escape_inline_listeners to true in xss-filter.php config file).

For example

    <script src="app.js"></script>
    <meta name="test" />
    let Iframe = new Iframe('#iframe');
    <div class="hover" onhover="show()" data-a="b"><p onclick="click"><span class="span" ondblclick="hide()"></span>Aawfawfaw f awf aw  </p></div>
    <iframe id="iframe">Not supported!</iframe>

will be transformed to

&lt;script src=&quot;app.js&quot;&gt;&lt;/script&gt;
<meta name="test" />
let Iframe = new Iframe(&#039;#iframe&#039;);
<div class="hover"  data-a="b"><p ><span class="span" ></span>Aawfawfaw f awf aw  </p></div>
&lt;iframe id=&quot;iframe&quot;&gt;Not supported!&lt;/iframe&gt;

This allows to render html in views based on users' input and don't be afraid of XSS attacks and embed elements.


Step 1: Composer

From command line

composer require masterro/laravel-xss-filter

Step 2: register Service provider and Facade(optional) (for Laravel 5.4)

For your Laravel app, open config/app.php and, within the providers array, append:


within the aliases array, append:

'XSSCleaner' => MasterRO\LaravelXSSFilter\XSSCleanerFacade::class

Step 3: publish configs (optional)

From command line

php artisan vendor:publish --provider="MasterRO\LaravelXSSFilter\XSSFilterServiceProvider"

Step 4: Middleware

You can register \MasterRO\LaravelXSSFilter\FilterXSS::class for filtering in global middleware stack, group middleware stack or for specific routes.

Have a look at Laravel's middleware documentation, if you need any help.


After adding middleware, every request will be filtered.

If you need to specify attributes that should not be filtered add them to xss-filter.except config. By default, filter excepts password and password_confirmation fields.

If you want to clean some value in other place (i.e. Controller) you can use XSSCleaner Facade.

$clean = XSSCleaner::clean($string);

Runtime configuration

$clean = XSSCleaner::clean($string);

I will be grateful if you star this project :)