CODEWITHSUNDEEP
phpsecuritylaravel
user2029029
user2029029

Reputation: 51

How can you apply xss filters in laravel 4 framework?

How do you think about security in laravel 4 ? I mean how laravel is managing xss attacks ?

In codeigniter you have someting like xss_clean($_GET['yourValue']) to clean user input fom xss code.

How laravel manage those kind of problems ? You get user values using Input::get('yourValue') but how do you apply an xss filter to it ? It comes with this functionality out of the box or what ?

Upvotes: 5

Views: 7841

Answers (7)

Paweł Messerszmit
Paweł Messerszmit

Reputation: 81

I examined the Laravel's protection {{{...}}} against xss attack. It just uses the htmlentities() function in the way like this: htmlentities('javascript:alert("xss")', ENT_QUOTES, 'UTF-8', false); This protects you against xss only if you use it properly means dont use it in certain HTML tags because it will result in XSS attack possibility. For example:

$a = htmlentities('javascript:alert("xss")', ENT_QUOTES, 'UTF-8', false); 
echo '<a href="'.$a.'">link</a>';

In this case, your code is vulnerable to xss.

Upvotes: 0

Rizwan Mughal
Rizwan Mughal

Reputation: 17

Create a new Helper file and put these two methods in you helper.

public static function globalXssClean()
{
    // Recursive cleaning for array [] inputs, not just strings.
    $sanitized = static::arrayStripTags(Input::get());
    Input::merge($sanitized);
}

public static function arrayStripTags($array)
{
    $result = array();

    foreach ($array as $key => $value) {
        // Don't allow tags on key either, maybe useful for dynamic forms.
        $key = strip_tags($key);

        // If the value is an array, we will just recurse back into the
        // function to keep stripping the tags out of the array,
        // otherwise we will set the stripped value.
        if (is_array($value)) {
            $result[$key] = static::arrayStripTags($value);
        } else {
            // I am using strip_tags(), you may use htmlentities(),
            // also I am doing trim() here, you may remove it, if you wish.
            $result[$key] = trim(strip_tags($value));
        }
    }

    return $result;
}

Then put this code in the beginning of your before filter (in Laravel 4 it should be in app/filters.php).

App::before(function($request)
{
    Helper::globalXssClean();
});

Upvotes: 1

cawecoy
cawecoy

Reputation: 2419

Here is how I solved this. Inspired on @the-alpha's solution. I'm using Laravel 4.2.

app/start/global.php:

function array_strip_tags($array)
{
    $result = array();
    foreach ($array as $key => $value) {
        $key = strip_tags($key);
        if (is_array($value)) {
            $result[$key] = array_strip_tags($value);
        }
        else {
            $result[$key] = strip_tags($value);
        }
    }
    return $result;
}

app/filters.php:

Route::filter('strip_tags', function()
{
    Input::merge(array_strip_tags(Input::all()));
});

app/routes.php:

Route::group(array('before' => 'strip_tags'), function(){
    // all routes under this route group will get all their inputs passed through the strip_tags php's function
    Route::any('/', ['as' => 'home', 'uses' => 'PageController@anyHome']);
    Route::any('/some-page', ['as' => 'some-page', 'uses' => 'PageController@anySomePage']);
}

Upvotes: 2

user28864
user28864

Reputation: 3463

There is also another package for XSS filter for laravel which can be downloaded here

Usage Example:

Simple form code snippet

{{Form::open(['route' => 'posts.store'])}}
{{Form::text('title')}}
{{Form::textarea('body')}}
{{Form::submit('Post')}}
{{Form::close()}}

Filter package usage

$rules = ['title' => 'required|min:13', 'body' => 'required|min:150'];
$validator = Validator(Input::all(), $rules);

if($validator->passes()){
  $xss = new XSS;
  $xss->clean(Input::all());
  $input = $xss->get();

  $post = new Post;
  $post->title = $input->title;
  $post->body = $input->body;

  // to test the results you can dd($input); & happy coding everyone!
}

Upvotes: 0

Waiyl Karim
Waiyl Karim

Reputation: 2950

I believe Laravel doesn't, unfortunately, have a built-in XSS Filter. However, there's a package you can try laravel-xss and it's easy to use, you just need to do something like: $user->about = Xss::clean(Input::get('about'); and you're set to go!

Upvotes: 0

The Alpha
The Alpha

Reputation: 146269

You can use App::before event to filter all of your inputs like this

App::before(function($request)
{
    Input::merge(array_strip_tags(Input::all()));
}

The array_strip_tags function is given below, I've put it in a helper file to call it directly, you may use it as a helper function or as a library but it's easy to use it as a helper function, just create a helper file inside app/start/ folder and give it a name, for example custom_helper.php and include it inside global.php file like this

require '/custom_helpers.php';

Function array_strip_tags

function array_strip_tags($array)
{
    $result = array();
    foreach ($array as $key => $value) {
        $key = strip_tags($key);
        if (is_array($value)) {
            $result[$key] = array_strip_tags($value);
        }
        else {
            $result[$key] = strip_tags($value);
        }
    }
    return $result;
}

This is copied from an working project of mine.

Upvotes: 3

James Flight
James Flight

Reputation: 21

In laravel templates, any data that comes form user input should be enclosed in three curly braces to sanitize it:

<h1>{{{ $input }}}</h1>

There's no native xss clean function in Laravel, but if you're desparate for one there is a port of the codeigniter security library available here:

http://packalyst.com/packages/package/gvlatko/laravel-xss

Upvotes: 2

Related Questions