masterro/laravel-xss-filter

Filter user input for XSS but don't touch other html

Maintainers

Details

github.com/MasterRO94/laravel-xss-filter

Source

Issues

Installs: 190 069

Dependents: 1

Suggesters: 0

Security: 0

Stars: 43

Watchers: 3

Forks: 6

Open Issues: 0

v2.1.0 2025-02-23 01:22 UTC

Requires

Requires (Dev)

MIT 7ce692c54a0e1f854c4d9429fdd20e093328ae6d

  • Roman Ihoshyn <igoshin18.woop@gmail.com>

middlewarelaravelxss

This package is auto-updated.

Last update: 2025-02-23 01:23:56 UTC

README

Latest Stable Version Total Downloads Build Status License

StandWithUkraine

XSS Filter/Sanitizer for Laravel

Configure once and forget about XSS attacks!

It does not remove the html, it is only escaped script tags and embeds.
However, by default, it does delete inline event listeners such as onclick. Optionally they also can be escaped (set escape_inline_listeners to true in xss-filter.php config file).

For example

<html>
<head>
    <script src="app.js"></script>
    <script>window.init()</script> 
    <meta name="test" />
    <script>
    let Iframe = new Iframe('#iframe');
    </script>
<head>
<body>
    <div class="hover" onhover="show()" data-a="b"><p onclick="click"><span class="span" ondblclick="hide()"></span>Aawfawfaw f awf aw  </p></div>
    <iframe id="iframe">Not supported!</iframe>
</body>
</html>

will be transformed to

<html>
<head>
&lt;script src=&quot;app.js&quot;&gt;&lt;/script&gt;
&lt;script&gt;window.init()&lt;/script&gt; 
<meta name="test" />
&lt;script&gt;
let Iframe = new Iframe(&#039;#iframe&#039;);
&lt;/script&gt;
<head>
<body>
<div class="hover"  data-a="b"><p ><span class="span" ></span>Aawfawfaw f awf aw  </p></div>
&lt;iframe id=&quot;iframe&quot;&gt;Not supported!&lt;/iframe&gt;
</body>
</html>

This allows to render html in views based on users' input and don't be afraid of XSS attacks and embed elements.

Installation

Step 1: Composer

From command line

composer require masterro/laravel-xss-filter

Step 2: publish configs (optional)

From command line

php artisan vendor:publish --provider="MasterRO\LaravelXSSFilter\XSSFilterServiceProvider"

Step 3: Middleware

You can register \MasterRO\LaravelXSSFilter\FilterXSS::class for filtering in global middleware stack, group middleware stack or for specific routes.

Have a look at Laravel's middleware documentation, if you need any help.

Livewire

If you are using Livewire you can either register global middleware to all the update livewire requests. This special middleware will clean only required part of Livewire request payload and will not touch snapshot so the component checksum still would be valid.

// AppServiceProvider.php

public function boot(): void
{
    Livewire::setUpdateRoute(static function ($handle) {
        return Route::post('/livewire/update', $handle)
            ->middleware(['web', FilterXSSLivewire::class]);
    });
}

Or you can apply middleware to specific routes and add it to persistent list to ensure inputs are cleared on subsequent component requests:

// AppServiceProvider.php

public function boot(): void
{
    Livewire::addPersistentMiddleware([
        FilterXSSLivewire::class,
    ]);
}

NOTE! If you have both Livewire components and traditional Controllers you can apply only FilterXSSLivewire::class middleware for all required routes or globally. It will fall back to base logic for non Livewire requests.

Usage

After adding middleware, every request will be filtered.

If you need to specify attributes that should not be filtered add them to xss-filter.except config. By default, filter excepts password and password_confirmation fields.

If you want to clean some value in other place (i.e. Controller) you can use XSSCleaner Facade.

$clean = XSSCleaner::clean($string);

Runtime configuration

XSSCleaner::config()
    ->allowElement('iframe')
    ->allowMediaHosts(['youtube.com', 'youtu.be'])
    ->denyElement('a');
    
$clean = XSSCleaner::clean($string);

I will be grateful if you star this project :)