medilies/xssless

Clean your rich text from XSS threats.

Fund package maintenance!
medilies

v0.4.0 2024-08-13 20:54 UTC

This package is auto-updated.

Last update: 2024-11-26 13:01:52 UTC


README

Latest Version on Packagist pest phpstan

workflow

Why use Xssless

  • Your application features a Rich Text Editor and you want to prevent all XSS.
  • You want full HTML5 & CSS3 support.
  • You want to allow all safe HTML elements, their attributes, and CSS properties without going deep into whitelist configs.

The default driver aligns with OWASP recommendations:

... OWASP recommends DOMPurify for HTML Sanitization.

Requirements

  • PHP >= 8.2
  • ext-json
  • Node >= 18
  • NPM

Installation

Install the package via composer:

composer require medilies/xssless

For non Laravel projects, pick a config and run the following code:

$config = new Medilies\Xssless\Dompurify\DompurifyCliConfig('node', 'npm');

(new Medilies\Xssless\Xssless)
    ->using($config)
    ->setup();

For Laravel projects, run the following command:

php artisan xssless:setup

Usage

Using Medilies\Xssless\Dompurify\DompurifyCliConfig:

(new Medilies\Xssless\Xssless)
    ->using(new Medilies\Xssless\Dompurify\DompurifyCliConfig)
    ->clean($html);

Using Medilies\Xssless\Dompurify\DompurifyServiceConfig:

$config = new Medilies\Xssless\Dompurify\DompurifyServiceConfig(
    host: '127.0.0.1', 
    port: 63000
);

$xssless = (new Medilies\Xssless\Xssless)
    ->using($config);

/**
 * It is better to have this part in a separate script
 * that runs continuously and independently from your app 
 */
$xssless->start();

$xssless->clean($html);

Laravel usage

You can publish the config file with:

php artisan vendor:publish --tag="xssless-config"

This is the contents of the published config file:

return [
    'default' => 'dompurify-cli',

    'drivers' => [
        'dompurify-cli' => new DompurifyCliConfig(
            node: env('NODE_PATH', 'node'), // @phpstan-ignore argument.type
            npm: env('NPM_PATH', 'npm'), // @phpstan-ignore argument.type
            binary: null,
            tempFolder: null,
        ),
        
        'dompurify-service' => new DompurifyServiceConfig(
            node: env('NODE_PATH', 'node'), // @phpstan-ignore argument.type
            npm: env('NPM_PATH', 'npm'), // @phpstan-ignore argument.type
            host: '127.0.0.1',
            port: 63000,
            binary: null,
        ),
    ],
];

Run the following command (Not required by all drivers):

php artisan xssless:start

Use the facade:

Medilies\Xssless\Laravel\Facades\Xssless::clean($html);

Changelog

Please see CHANGELOG for more information on what has changed recently.

Contributing

Please see CONTRIBUTING for details.

Security Vulnerabilities

Please review our security policy on how to report security vulnerabilities.

Credits

License

The MIT License (MIT). Please see License File for more information.