Is package to sanitize each data from middleware or it's can me use in standalone to sinitize strings.
- Php 7.1.3 or more
Add on your composer.json
"require": {
"distilleries/security": "1.*",
}run composer update.
Publish the configuration:
php artisan vendor:publish --provider="Distilleries\Security\SecurityServiceProvider"
return [
'xss_enable'=> env('SECURITY_XSS_ENABLE',true),
'html_purifier'=> env('SECURITY_HTML_PURIFIER_ENABLE',true)
];| Field | Usage |
|---|---|
| xss_enable | Enable Xss Clean on Middleware |
| html_purifier | Enable Html purifier on Middleware |
Add the Middleware on the kernel file.
protected $middleware = [
\Distilleries\Security\Http\Middleware\XSS::class
];You can use the class Security to sanitize data directly
$xss = new \Distilleries\Security\Helpers\Security();
$xss->xss_clean('<a href="javascript:aler('test')">Click to alert</a>');Should return Click to alert
This function is a replacement for html_entity_decode()
The reason we are not using `html_entity_decode() by itself is because while it is not technically correct to leave out the semicolon at the end of an entity most browsers will still interpret the entity correctly. html_entity_decode() does not convert entities without semicolons, so we are left with our own little solution here. Bummer.
$xss = new \Distilleries\Security\Helpers\Security();
$xss->entity_decode(<a href="javascript:alert('test')">Test</a>');Should return Test
$xss = new \Distilleries\Security\Helpers\Security();
$xss->sanitize_filename('./../test.jgp',true);Should display ./test.jpg instead of ./../test.jgp. The last parameter it's to allow or disallow relative path
$xss = new \Distilleries\Security\Helpers\Security();
$xss->sanitize_filename('./../test.jgp',false);Should display test.jpg instead of ./../test.jgp.