masterro/laravel-xss-filter

Filter user input for XSS but don't touch other html

Maintainers

Details

github.com/MasterRO94/laravel-xss-filter

Source

Issues

Installs: 175 961

Dependents: 1

Suggesters: 0

Security: 0

Stars: 43

Watchers: 3

Forks: 6

Open Issues: 1

v1.7.0 2024-03-03 23:57 UTC

Requires

Requires (Dev)

MIT 42706f09d95e3f9715747e681395cc83e0b99e95

  • Roman Ihoshyn <igoshin18.woop@gmail.com>

middlewarelaravelxss

This package is auto-updated.

Last update: 2024-11-22 15:36:17 UTC

README

Latest Stable Version Total Downloads Build Status License

StandWithUkraine

XSS Filter/Sanitizer for Laravel

Configure once and forget about XSS attacks!

Laravel 5.4+ Middleware to filter user inputs from XSS and iframes and other embed elements.

It does not remove the html, it is only escaped script tags and embeds.

However, by default, it does delete inline event listeners such as onclick. Optionally they also can be escaped (set escape_inline_listeners to true in xss-filter.php config file).

For example

<html>
<head>
    <script src="app.js"></script>
    <script>window.init()</script> 
    <meta name="test" />
    <script>
    let Iframe = new Iframe('#iframe');
    </script>
<head>
<body>
    <div class="hover" onhover="show()" data-a="b"><p onclick="click"><span class="span" ondblclick="hide()"></span>Aawfawfaw f awf aw  </p></div>
    <iframe id="iframe">Not supported!</iframe>
</body>
</html>

will be transformed to

<html>
<head>
&lt;script src=&quot;app.js&quot;&gt;&lt;/script&gt;
&lt;script&gt;window.init()&lt;/script&gt; 
<meta name="test" />
&lt;script&gt;
let Iframe = new Iframe(&#039;#iframe&#039;);
&lt;/script&gt;
<head>
<body>
<div class="hover"  data-a="b"><p ><span class="span" ></span>Aawfawfaw f awf aw  </p></div>
&lt;iframe id=&quot;iframe&quot;&gt;Not supported!&lt;/iframe&gt;
</body>
</html>

This allows to render html in views based on users' input and don't be afraid of XSS attacks and embed elements.

Installation

Step 1: Composer

From command line

composer require masterro/laravel-xss-filter

Step 2: register Service provider and Facade(optional) (for Laravel 5.4)

For your Laravel app, open config/app.php and, within the providers array, append:

MasterRO\LaravelXSSFilter\XSSFilterServiceProvider::class

within the aliases array, append:

'XSSCleaner' => MasterRO\LaravelXSSFilter\XSSCleanerFacade::class

Step 3: publish configs (optional)

From command line

php artisan vendor:publish --provider="MasterRO\LaravelXSSFilter\XSSFilterServiceProvider"

Step 4: Middleware

You can register \MasterRO\LaravelXSSFilter\FilterXSS::class for filtering in global middleware stack, group middleware stack or for specific routes.

Have a look at Laravel's middleware documentation, if you need any help.

Usage

After adding middleware, every request will be filtered.

If you need to specify attributes that should not be filtered add them to xss-filter.except config. By default, filter excepts password and password_confirmation fields.

If you want to clean some value in other place (i.e. Controller) you can use XSSCleaner Facade.

$clean = XSSCleaner::clean($string);

Runtime configuration

XSSCleaner::config()
    ->allowElement('iframe')
    ->allowMediaHosts(['youtube.com'])
    ->blockElement('a');
    
$clean = XSSCleaner::clean($string);

I will be grateful if you star this project :)