GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → MasterRO94 → laravel-xss-filter

MasterRO94 / laravel-xss-filter

Licence: MIT license
Filter user input for XSS but don't touch other html

Programming Languages

PHP
23972 projects - #3 most used programming language

Labels

middlewarelaravelxss

Projects that are alternatives of or similar to laravel-xss-filter

Godnslog
An exquisite dns&http log server for verify SSRF/XXE/RFI/RCE vulnerability
Stars: ✭ 172 (+352.63%)
Mutual labels:  xss
Secbox
🖤 网络安全与渗透测试工具导航
Stars: ✭ 222 (+484.21%)
Mutual labels:  xss
cve-2016-1764
Extraction of iMessage Data via XSS
Stars: ✭ 52 (+36.84%)
Mutual labels:  xss
Webrtcxss
利用XSS入侵内网(Use XSS automation Invade intranet)
Stars: ✭ 190 (+400%)
Mutual labels:  xss
Angularjs Csti Scanner
Automated client-side template injection (sandbox escape/bypass) detection for AngularJS.
Stars: ✭ 214 (+463.16%)
Mutual labels:  xss
Payloads
Git All the Payloads! A collection of web attack payloads.
Stars: ✭ 2,862 (+7431.58%)
Mutual labels:  xss
Xssor2
XSS'OR - Hack with JavaScript.
Stars: ✭ 1,969 (+5081.58%)
Mutual labels:  xss
Wordlist404
Small but effective wordlist for brute-forcing and discovering hidden things.
Stars: ✭ 101 (+165.79%)
Mutual labels:  xss
Xss Loader
Xss Payload Generator ~ Xss Scanner ~ Xss Dork Finder
Stars: ✭ 215 (+465.79%)
Mutual labels:  xss
Xsshell
An XSS reverse shell framework
Stars: ✭ 251 (+560.53%)
Mutual labels:  xss
Xless
The Serverless Blind XSS App
Stars: ✭ 191 (+402.63%)
Mutual labels:  xss
Berserker
A list of useful payloads for Web Application Security and Pentest/CTF
Stars: ✭ 212 (+457.89%)
Mutual labels:  xss
Ary
Ary 是一个集成类工具,主要用于调用各种安全工具,从而形成便捷的一键式渗透。
Stars: ✭ 241 (+534.21%)
Mutual labels:  xss
Javasecurity
Java web and command line applications demonstrating various security topics
Stars: ✭ 182 (+378.95%)
Mutual labels:  xss
coldfusion-10-11-xss
Proof of Concept code for CVE-2015-0345 (APSB15-07)
Stars: ✭ 22 (-42.11%)
Mutual labels:  xss
Jsshell
JSshell - JavaScript reverse/remote shell
Stars: ✭ 167 (+339.47%)
Mutual labels:  xss
Veneno
Stars: ✭ 230 (+505.26%)
Mutual labels:  xss
html-contextual-autoescaper-java
Prevents XSS by figuring out how to escape untrusted values in templates
Stars: ✭ 15 (-60.53%)
Mutual labels:  xss
cd
CloudDefense.ai is an automated web application security testing tool that audits your web applications by checking for vulnerabilities like SQL Injection, Cross-site scripting and other exploitable vulnerabilities.
Stars: ✭ 33 (-13.16%)
Mutual labels:  xss
Browser Sec Whitepaper
Cure53 Browser Security White Paper
Stars: ✭ 251 (+560.53%)
Mutual labels:  xss
View All Similar Projects ➔

Latest Stable Version Total Downloads Build Status License

StandWithUkraine

XSS Filter/Sanitizer for Laravel

Configure once and forget about XSS attacks!

Laravel 5.4+ Middleware to filter user inputs from XSS and iframes and other embed elements.

It does not remove the html, it is only escaped script tags and embeds.

However, by default, it does delete inline event listeners such as onclick. Optionally they also can be escaped (set escape_inline_listeners to true in xss-filter.php config file).

For example

<html>
<head>
    <script src="app.js"></script>
    <script>window.init()</script> 
    <meta name="test" />
    <script>
    let Iframe = new Iframe('#iframe');
    </script>
<head>
<body>
    <div class="hover" onhover="show()" data-a="b"><p onclick="click"><span class="span" ondblclick="hide()"></span>Aawfawfaw f awf aw  </p></div>
    <iframe id="iframe">Not supported!</iframe>
</body>
</html>

will be transformed to

<html>
<head>
&lt;script src=&quot;app.js&quot;&gt;&lt;/script&gt;
&lt;script&gt;window.init()&lt;/script&gt; 
<meta name="test" />
&lt;script&gt;
let Iframe = new Iframe(&#039;#iframe&#039;);
&lt;/script&gt;
<head>
<body>
<div class="hover"  data-a="b"><p ><span class="span" ></span>Aawfawfaw f awf aw  </p></div>
&lt;iframe id=&quot;iframe&quot;&gt;Not supported!&lt;/iframe&gt;
</body>
</html>

This allows to render html in views based on users' input and don't be afraid of XSS attacks and embed elements.

Installation

Step 1: Composer

From command line

composer require masterro/laravel-xss-filter

Step 2: register Service provider and Facade(optional) (for Laravel 5.4)

For your Laravel app, open config/app.php and, within the providers array, append:

MasterRO\LaravelXSSFilter\XSSFilterServiceProvider::class

within the aliases array, append:

'XSSCleaner' => MasterRO\LaravelXSSFilter\XSSCleanerFacade::class

Step 3: publish configs (optional)

From command line

php artisan vendor:publish --provider="MasterRO\LaravelXSSFilter\XSSFilterServiceProvider"

Step 4: Middleware

You can register \MasterRO\LaravelXSSFilter\FilterXSS::class for filtering in global middleware stack, group middleware stack or for specific routes.

Have a look at Laravel's middleware documentation, if you need any help.

Usage

After adding middleware, every request will be filtered.

If you need to specify attributes that should not be filtered add them to xss-filter.except config. By default, filter excepts password and password_confirmation fields.

If you want to clean some value in other place (i.e. Controller) you can use XSSCleaner Facade.

$clean = XSSCleaner::clean($string);

Runtime configuration

XSSCleaner::config()
    ->allowElement('iframe')
    ->allowMediaHosts(['youtube.com'])
    ->blockElement('a');
    
$clean = XSSCleaner::clean($string);

I will be grateful if you star this project :)

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].