laravelgems/blade-escape
Composer 安装命令:
composer require laravelgems/blade-escape
包简介
Custom blade directives to figth against XSS
README 文档
README
Blade Escape is a service provider that extends Blade directives and allows use Laragems\Escape library.
<div style="background-color: @css($color);"> <label>@text($label)</label> <input type="text" name="custom" value="@attr($value)"/> </div> <a href="/profile?u=@param($username)">Profile</a> <button onclick="callMyFunction('@js($username)');">Validate</button> <script> var username = "@js($username)"; </script>
Installation
composer require laravelgems/blade-escape
After that add service provider to a config\app.php
/* * Package Service Providers... */ ... LaravelGems\BladeEscape\Providers\BladeEscapeServiceProvider::class, ...
HTML - @text($variable), safe
<p>@text($resume)</p> <div>@text($bio)</div>
HTML Attribute - @attr(@variable), safe when following rules
Attribute's value should be quoted. For usage with whitelist attributes: align, alink, alt, bgcolor, border, cellpadding, cellspacing, class, color, cols, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight, marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan, scrolling, shape, span, summary, tabindex, title, usemap, valign, value, vlink, vspace, width
<input type="text" value="@attr($variable)"/> <img src="image.png" alt="@attr($variable)"/>
URL Parameter - @param($variable), safe
<a href="search?keyword=@param($variable)">Click Me</a>
Javascript Parameter - @js($variable), safe when following rules
Value should be quoted. Avoid using dangerous functions (eval and so on), example - setTimeout("@js($variable)") (can be hacked!)
<script>
var username = "@js($variable)";
</script>
<a href="#" onclick="displayDialog('@js($title)');">Click</a>
CSS - @css($variable), safe when following rules
Surrounded by quotes. Avoid complex properties like url, behavior and custom (-moz-binding). Do not put untrusted data into IE's expression property value
<style>
.article { background-color: '@css($color)';}
</style>
<span style="width: '@css($width)';"></span>
Must Read: QWASP - XSS Prevention Cheat Sheet
You don't like the names of directives. Ok, just change them in a published config.
laravelgems/blade-escape 适用场景与选型建议
laravelgems/blade-escape 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 12.44k 次下载、GitHub Stars 达 12, 最近一次更新时间为 2016 年 12 月 25 日, 在 PHP 生态内属于活跃度较高的组件。
我们在过去多个企业项目中使用过 laravelgems/blade-escape 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。
基于 laravelgems/blade-escape 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。
线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。
承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。
统计信息
- 总下载量: 12.44k
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 12
- 点击次数: 28
- 依赖项目数: 0
- 推荐数: 0
其他信息
- 授权协议: MIT
- 更新时间: 2016-12-25