masterro/laravel-xss-filter
Composer 安装命令:
composer require masterro/laravel-xss-filter
包简介
Filter user input for XSS but don't touch other html
关键字:
README 文档
README
XSS Filter/Sanitizer for Laravel
Configure once and forget about XSS attacks!
It does not remove the html, it is only escaped script tags and embeds.
However, by default, it does delete inline event listeners such as onclick.
Optionally they also can be escaped (set escape_inline_listeners to true in xss-filter.php config file).
For example
<html>
<head>
<script src="app.js"></script>
<script>window.init()</script>
<meta name="test" />
<script>
let Iframe = new Iframe('#iframe');
</script>
<head>
<body>
<div class="hover" onhover="show()" data-a="b"><p onclick="click"><span class="span" ondblclick="hide()"></span>Aawfawfaw f awf aw </p></div>
<iframe id="iframe">Not supported!</iframe>
</body>
</html>
will be transformed to
<html> <head> <script src="app.js"></script> <script>window.init()</script> <meta name="test" /> <script> let Iframe = new Iframe('#iframe'); </script> <head> <body> <div class="hover" data-a="b"><p ><span class="span" ></span>Aawfawfaw f awf aw </p></div> <iframe id="iframe">Not supported!</iframe> </body> </html>
This allows to render html in views based on users' input and don't be afraid of XSS attacks and embed elements.
Installation
Step 1: Composer
From command line
composer require masterro/laravel-xss-filter
Step 2: publish configs (optional)
From command line
php artisan vendor:publish --provider="MasterRO\LaravelXSSFilter\XSSFilterServiceProvider"
Step 3: Middleware
You can register \MasterRO\LaravelXSSFilter\FilterXSS::class for filtering in global middleware stack, group middleware stack or for specific routes.
Have a look at Laravel's middleware documentation, if you need any help.
Livewire
If you are using Livewire you can either register global middleware to all the update livewire requests. This special middleware will clean only required part of Livewire request payload and will not touch snapshot so the component checksum still would be valid.
// AppServiceProvider.php public function boot(): void { Livewire::setUpdateRoute(static function ($handle) { return Route::post('/livewire/update', $handle) ->middleware(['web', FilterXSSLivewire::class]); }); }
Or you can apply middleware to specific routes and add it to persistent list to ensure inputs are cleared on subsequent component requests:
// AppServiceProvider.php public function boot(): void { Livewire::addPersistentMiddleware([ FilterXSSLivewire::class, ]); }
Note
If you have both Livewire components and traditional Controllers you can apply only FilterXSSLivewire::class middleware for all required routes or globally. It will fall back to base logic for non Livewire requests.
Usage
After adding middleware, every request will be filtered.
If you need to specify attributes that should not be filtered add them to xss-filter.except config. By default, filter excepts password and password_confirmation fields.
If you want to clean some value in other place (i.e. Controller) you can use XSSCleaner Facade.
$clean = XSSCleaner::clean($string);
Runtime configuration
XSSCleaner::config() ->allowElement('iframe') ->allowMediaHosts(['youtube.com', 'youtu.be']) ->denyElement('a'); $clean = XSSCleaner::clean($string);
I will be grateful if you star this project :)
masterro/laravel-xss-filter 适用场景与选型建议
masterro/laravel-xss-filter 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 270.72k 次下载、GitHub Stars 达 41, 最近一次更新时间为 2018 年 02 月 09 日, 在 PHP 生态内属于活跃度较高的组件。
它主要适用于以下技术方向: 「middleware」 「laravel」 「xss」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。
我们在过去多个企业项目中使用过 masterro/laravel-xss-filter 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。
基于 masterro/laravel-xss-filter 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。
线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。
承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。
与 masterro/laravel-xss-filter 相关的其它包
同方向 / 同关键字的高下载量 PHP Composer 包推荐,方便对比选型:
Shoot aims to make providing data to your templates more manageable
An HTML/XHTML filter written in PHP. Checks on attribute values. Can be used to avoid Cross-Site Scripting (XSS), Buffer Overflows and Denial of Service attacks, among other things.
Slim Framework 3 CSRF protection middleware utilities
A jQuery augmented PHP library for creating and validating HTML forms
Cloudflare Middleware For Guzzle
PSR-15 middleware to handle CSRF-token verification
统计信息
- 总下载量: 270.72k
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 41
- 点击次数: 32
- 依赖项目数: 1
- 推荐数: 0
其他信息
- 授权协议: MIT
- 更新时间: 2018-02-09