Quickly and easily secure HTML text.

Related tags

Security Larasane
Overview

 Clay Banks - Unslash (UL) #kBaf0DwBPbE

Latest Stable Version License Coverage Status Laravel Octane Compatible

Larasane

Quickly sanitize text into safe-HTML using fluid methods.

Requirements

  • PHP 7.4, 8.0 or later.
  • Laravel 7.x, 8.x or later.

Installation

Just fire up Composer:

composer require darkghosthunter/larasane

And that's it.

Usage

After you receive the HTML input you want to sanitize, use the Sanitizer facade to do it.

me!'; echo Sanitizer::input($input)->sanitize($input); // "Trust me!" ">


use DarkGhostHunter\Larasane\Facades\Sanitizer;

$input = 'Trust  me!';

echo Sanitizer::input($input)->sanitize($input); // "Trust me!"

The sanitizer has a bunch of fluid methods you can chain to allow or disallow tags and attributes, and links.

By default, Larasane cleans everything except the most basic tags: a, b, br, blockquote, div, del, em, figcaption, figure, h1, h2, h3, h4, h5, h6, i, p, q, small, span, strong, sub, sup.

You can enable more tags by enabling each of the included extensions, or create your own.

If you need to strip all tags from a string, use strip_tags() instead.

Configuration

Larasane works out of the box to sanitize any tag that is not-basic, but you can configure the defaults by publishing the config file.

php artisan vendor:publish --provider="DarkGhostHunter\Larasane\LarasaneServiceProvider" --tag="config"

You will receive the config/larasane.php file with the following contents.



return [
    'max_length' => 1000,
    'allow_code' => [
        'basic',
    ],
    'security' => [
        'enforced_domains' => null,
        'enforce_https' => null,
        'image_data'    => false,
        'allow_mailto'  => false,
    ],
    'tags' => [
        'div' => 'class',
        'img' => ['src', 'alt', 'title', 'class'],
        'a' => ['class', 'target'],
        'ul' => 'class',
        'ol' => 'class',
        'li' => 'class',
    ]
];

Max Length

return [
    'max_length' => 1000,
];

Inputs to sanitize will be truncated at a max length. You can change this globally, or per sanitization.

$sanitized = Sanitizer::for($input)->maxLength(200);

Code allowed

return [
    'allow_code' => [
        'basic', /* 'list', 'table', 'image', 'code', 'iframe', 'details', 'extra' */
    ],
];

The type tags to allow in an HTML input. These are grouped by the name of the extension, and only allows for basic HTML tags by default. You can override the list per-sanitization basis:

$sanitized = Sanitizer::for($input)->allowCode('basic', 'list', 'table');

If you need to accept custom tags, you should create an extension to handle them.

Security

return [
    'security' => [
        'enforce_hosts' => null,
        'enforce_https' => null,
        'image_data'    => false,
        'allow_mailto'  => false,
    ],
];

This groups some security features for handling links in , and