Reputation: 133
How to secure my laravel app from Cross-Site Scripting?
I read an article about the Cross-Site Scripting and i wanted to know if my app is vulnerable to these type of actions.
I have some modules in my app that require long description. So i use summernote editor.In the front in order to display the text correctly i must use {!! !!}.Is it dangerous to use them in my views to Display Unescaped Data ?
Upvotes: 0
Views: 4246
Answers (3)
Reputation: 52
Do not use {!! !!} unless you're very sure what you're displaying is entirely safe. Use {{ }} instead. Also make sure you're using laravel's csrf token.
Upvotes: 0
Reputation: 1491
I have some modules in my app that require long description. So i use summernote editor.In the front in order to display the text correctly i must use {!! !!}.Is it dangerous to use them in my views to Display Unescaped Data ?
Yes, it is. Never trust the user. Never rely on client side escaping. You need to escape this on the server side.
I am using Laravel Purifier, which you can use to escape all html tags, or you can define, which tags are allowed (e.g. on a textfield something like <h1> or <strong> should be allowed, but you would need to remove all <script> tags.
Laravel includes csrf token management out of the Box, so you are save to cross side attacs.
EDIT
As the TE asked in the comments, this is how you use Purifier:
After installation, you can define in the configuration multiple configurations for the escaping (e.g. if you have different textares, in one you want to allow the <h1> and in an other not). In the HTML.Allowed => you write all tags that are allowed to use, in the CSS.AllowedProperties => you set the allowed style changes (e.g. color).
To than escape an input, just use clean($input, 'Configurationname');, where Configurationname is the name of the configuration. The default value is default.
Upvotes: 1
Reputation: 6603
It's dangerous to display unescaped data in your views, especially one that came from user's input. E.g. a user can save a JS script through that form that would be runned on this page.
In cases when you can't use {{ }} to prevent XSS attacks, you can filter the input data just before storing it to a database. For example with regexp you can remove <script> tags or you can validate request input with not_regex:pattern first.
Upvotes: 0
Related Questions
- How to secure function calls from PHP framework Codeigniter, Laravel
- Is there a way to prevent user from changing JS script location?
- Laravel XSS Attack Protection
- How to secure Laravel project code on client system?
- How to protect ajax requests in Laravel?
- Securing Web apis from being called outside the browser
- Secure javascript resources with laravel
- AngularJs and Laravel api - how to prevent usage outsite my site
- Securing app using CodeIngiter with AJAX requests
- Prevent Cross-site Scripting in PHP