medilies / xssless
Clean your rich text from XSS threats.
Fund package maintenance!
medilies
Requires
- php: ^8.2
- guzzlehttp/guzzle: ^7.9
- symfony/process: ^7.1
Requires (Dev)
- laravel/framework: ^11 || 10
- laravel/pint: ^1.14
- nunomaduro/collision: ^8.1.1||^7.10.0
- orchestra/testbench: ^9.2
- pestphp/pest: ^2.34
- pestphp/pest-plugin-arch: ^2.7
- phpstan/extension-installer: ^1.3
- phpstan/phpstan: ^1.11
- phpstan/phpstan-deprecation-rules: ^1.1
- phpstan/phpstan-phpunit: ^1.3
README
Why use Xssless
- Your application features a Rich Text Editor and you want to prevent all XSS.
- You want full HTML5 & CSS3 support.
- You want to allow all safe HTML elements, their attributes, and CSS properties without going deep into whitelist configs.
The default driver aligns with OWASP recommendations:
... OWASP recommends DOMPurify for HTML Sanitization.
Requirements
- PHP >= 8.2
- ext-json
- Node >= 18
- NPM
Installation
Install the package via composer:
composer require medilies/xssless
For non Laravel projects, pick a config and run the following code:
$config = new Medilies\Xssless\Dompurify\DompurifyCliConfig('node', 'npm'); (new Medilies\Xssless\Xssless) ->using($config) ->setup();
For Laravel projects, run the following command:
php artisan xssless:setup
Usage
Using Medilies\Xssless\Dompurify\DompurifyCliConfig
:
(new Medilies\Xssless\Xssless) ->using(new Medilies\Xssless\Dompurify\DompurifyCliConfig) ->clean($html);
Using Medilies\Xssless\Dompurify\DompurifyServiceConfig
:
$config = new Medilies\Xssless\Dompurify\DompurifyServiceConfig( host: '127.0.0.1', port: 63000 ); $xssless = (new Medilies\Xssless\Xssless) ->using($config); /** * It is better to have this part in a separate script * that runs continuously and independently from your app */ $xssless->start(); $xssless->clean($html);
Laravel usage
You can publish the config file with:
php artisan vendor:publish --tag="xssless-config"
This is the contents of the published config file:
return [ 'default' => 'dompurify-cli', 'drivers' => [ 'dompurify-cli' => new DompurifyCliConfig( node: env('NODE_PATH', 'node'), // @phpstan-ignore argument.type npm: env('NPM_PATH', 'npm'), // @phpstan-ignore argument.type binary: null, tempFolder: null, ), 'dompurify-service' => new DompurifyServiceConfig( node: env('NODE_PATH', 'node'), // @phpstan-ignore argument.type npm: env('NPM_PATH', 'npm'), // @phpstan-ignore argument.type host: '127.0.0.1', port: 63000, binary: null, ), ], ];
Run the following command (Not required by all drivers):
php artisan xssless:start
Use the facade:
Medilies\Xssless\Laravel\Facades\Xssless::clean($html);
Changelog
Please see CHANGELOG for more information on what has changed recently.
Contributing
Please see CONTRIBUTING for details.
Security Vulnerabilities
Please review our security policy on how to report security vulnerabilities.
Credits
License
The MIT License (MIT). Please see License File for more information.