Web Security 24x7

Web Security | Web Hacking | Bug Bounty POC | Web Penetration Testing Tools

Sunday, October 30, 2016

XSS Filter in Laravel Framework Part 1

Pren Host Blog Demo 1:34 PM
Hello
I am Sajibe Kanti
a Web Security Researcher .

today I Will Share a Important Topic in Laravel .


If you are connected with the PHP development world then you must have heard the name Laravel and you know what it is. If you don’t know, Laravel is a modern PHP framework which utilizes modern PHP features and uses some of the existing frameworks’ components to truly awesomely PHP development.

 Back in 2012 I gave Laravel a try out of curiosity and I was amazed by the flexibility, features and easiness it offers. I took another decision to learn it and then to use it on my new projects. Now I have learned Laravel and developed projects using it. I am not leaving development with CodeIgniter, just using both, in fact my current long term work Vegan Cuts is based on CodeIgniter.

 One thing you might miss on Laravel is XSS (Cross-site Scripting) Cleaning/Filtering method for inputs, specially if you have come from CodeIgniter background. I truly understand that its better to do it on output and Laravel has a method HTML::entitieswith a handy shorthand e() (removed in Laravel 4) which converts HTML characters into entities, its almost PHP’s native function htmlentities() (also Blades’s syntax can escape data). But I do prefer filtering/sanitizing both inputs and outputs, I don’t see any reason to allow saving HTML tags in database, also you may accidentally forget to use htmlentities() on your output and it puts you on risk. So I prefer to strip all the tags from input globally and then for a better security use htmlentities() on output.

So how can we do XSS Clean on all the inputs in Laravel? 

I have a solution for you, if you don’t have a library to write common methods you may need frequently then I ask you to create a new library Common in application/library (in case of Laravel 4, create a Common model in app/models). Put this two methods in your Common library/model:

/*
 * Method to strip tags globally.
 */
public static function globalXssClean()
{
    // Recursive cleaning for array [] inputs, not just strings.
    $sanitized = static::arrayStripTags(Input::get());
    Input::merge($sanitized);
}
public static function arrayStripTags($array)
{
    $result = array();
    foreach ($array as $key => $value) {
        // Don't allow tags on key either, maybe useful for dynamic forms.
        $key = strip_tags($key);
        // If the value is an array, we will just recurse back into the
        // function to keep stripping the tags out of the array,
        // otherwise we will set the stripped value.
        if (is_array($value)) {
            $result[$key] = static::arrayStripTags($value);
        } else {
            // I am using strip_tags(), you may use htmlentities(),
            // also I am doing trim() here, you may remove it, if you wish.
            $result[$key] = trim(strip_tags($value));
        }
    }
    return $result;
}
Then put this code in the beginning of your before filter (in application/routes.php, in Laravel 4 it should be in app/filters.php):
1
2
// Our own method to defend XSS attacks globally.
Common::globalXssClean();
 I am using strip_tags(), you may use htmlentities(), also I am doing global trimming here, you may remove it, if you wish. Stripping tags will disable your users to store any HTML tags, if you need your user to write WYSIWYG content then I suggest you to use Markdown and convert it to HTML while doing output, it is the secured way, there are many libraries to help you.

You Can Check Part 2 
http://websecurity247.blogspot.com/2016/10/xss-filter-in-laravel-framework-part-2.html Thanks 
SK

4 comments:

  1. OnpeaksNovember 9, 2019 at 3:32 AM

    Laravel Development Company: ExpressTech Software Solutions offering Custom Laravel Development Services like Laravel RESTful API Development with Integration solution. +91-9806724185 or Contact@expresstechsoftwares.com

    ReplyDelete
  2. Software Development CompanyMarch 10, 2021 at 11:10 PM

    There are so many PHP frameworks but being a PHP developer I always prefer Laravel. This is the best framework for web development. And of course, the rest depends upon the project needs and requirements.
    Hire Laravel Developer for your business at affordable price.

    ReplyDelete
  3. Software Development CompanyMarch 10, 2021 at 11:10 PM

    There are so many PHP frameworks but being a PHP developer I always prefer Laravel. This is the best framework for web development. And of course, the rest depends upon the project needs and requirements.
    Hire Laravel Developer for your business at affordable price.

    ReplyDelete
  4. Extren LabsSeptember 6, 2022 at 11:01 PM

    This comment has been removed by the author.

    ReplyDelete

Subscribe to: Post Comments (Atom)

Recent Posts

Recent Posts Widget

Popular Posts

Contact Form

Name

Email *

Message *