Laravel Security was created by, and is maintained by Graham Campbell, and is a voku/anti-xss wrapper for Laravel, using graham-campbell/security-core

Related tags

Security hacktoberfest
Overview

Laravel Security

Laravel Security was created by, and is maintained by Graham Campbell, and is a voku/anti-xss wrapper for Laravel, using graham-campbell/security-core. Feel free to check out the change log, releases, security policy, license, code of conduct, and contribution guidelines.

Banner

Build Status StyleCI Status Software License Packagist Downloads Latest Version

Installation

Laravel Security requires PHP 7.2-8.1. This particular version supports Laravel 6-8.

Security L5.1 L5.2 L5.3 L5.4 L5.5 L5.6 L5.7 L5.8 L6 L7 L8
3.7
4.0
5.1
6.2
7.1
8.0
9.0

To get the latest version, simply require the project using Composer:

$ composer require "graham-campbell/security:^9.0"

Once installed, if you are not using automatic package discovery, then you need to register the GrahamCampbell\Security\SecurityServiceProvider service provider in your config/app.php.

You can also optionally alias our facade:

        'Security' => GrahamCampbell\Security\Facades\Security::class,

Configuration

Laravel Security supports optional configuration.

To get started, you'll need to publish all vendor assets:

$ php artisan vendor:publish

This will create a config/security.php file in your app that you can modify to set your configuration. Also, make sure you check for changes to the original config file in this package between releases.

There are two config options:

Evil configuration

This option ('evil') defines the evil attributes and tags, which will always be stripped from the input.

Replacement string

This option ('replacement') defines the replacement string, which will be used to take the place of removed portions of strings where XSS was present.

Usage

Security

This is the class of most interest. It is bound to the ioc container as 'security' and can be accessed using the Facades\Security facade. There is one public method of interest.

The 'clean' method will parse a string removing XSS vulnerabilities, on a best effort basis.

Facades\Security

This facade will dynamically pass static method calls to the 'security' object in the ioc container which by default is the Security class.

SecurityServiceProvider

This class contains no public methods of interest. This class should be added to the providers array in config/app.php. This class will setup ioc bindings.

Further Information

You may see an example of implementation in Laravel Binput.

Security

If you discover a security vulnerability within this package, please send an email to [email protected]. All security vulnerabilities will be promptly addressed. You may view our full security policy here.

License

Laravel Security is licensed under The MIT License (MIT).

For Enterprise

Available as part of the Tidelift Subscription

The maintainers of graham-campbell/security and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open source dependencies you use to build your applications. Save time, reduce risk, and improve code health, while paying the maintainers of the exact dependencies you use. Learn more.

Comments
  • Vulnerabilities And Demo

    Vulnerabilities And Demo

    Hi,

    Recently, I worked with CodeIgniter's guys and we have added some changes in the CodeIgniter's xss_clean function. I found some bypasses and support has been added plus addition of some new naughty elements.

    The details can be found here: https://github.com/EllisLab/CodeIgniter/issues/2667

    Would you also please upgrade this Laravel-Security port? Thanks!

    bug priority 
    opened by soaj1664 95
  • [Proposal] Support For Other Encodings Besides UF8

    [Proposal] Support For Other Encodings Besides UF8

    It won't save a copy pasted doc it just saves blank I have to convert to utf8 for it to save, thus stripping most of the formatting. Let me know if I could help any further.

    bug enhancement 
    opened by ericmuigai 24
  • Evil attributes customization.

    Evil attributes customization.

    This change allows definition of which attributes should be considered evil and which not.

    You have to publish configuration file in order to customize tag list.

    enhancement 
    opened by is-ma-el 6
  • please show example of usage

    please show example of usage

    dear @GrahamCampbell i install package with composer , do it automatically add xss security in my app ? or need aditional work ? composer require graham-campbell/security

    opened by vahidalvandi 5
  • using percentages in text breaks the clean method

    using percentages in text breaks the clean method

    Hi Graham,

    I've noticed that something seems to be broken with the parsing of % signs in text. I think this bug was introduced the last time you synced your package with codeIgniter.

    Input: 100% received Expected: 100% received Actual: 100%received

    Input: 100% better Expected: 100% better Actual: 100¾tter

    It seems that because on line 103 spaces are removed from the input when a % sign is present in the string, 100% better => the urlDecodeSpaces method receives % be, and this gets converted to %be, and then converted by rawurldecode to ¾

    I'm not sure what this part of the code is actually supposed to be doing so sadly I can't think of any way to fix it short of commenting it out.

    opened by Zae 3
  • Question/Enhancement: Allow NULL value in Security::process()

    Question/Enhancement: Allow NULL value in Security::process()

    Argument 1 passed to GrahamCampbellSecuritySecurity::process() must be of the type string, null given, called in /var/www/umb2b/vendor/graham-campbell/security/src/Security.php on line 82 The middleware Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull (Laravel 5.5) converts empty strings to NULL values. This forces you to define (sometimes messy) exceptions using Request::except() in order to use Security::*. Is there a need for the type-hint string in process()?

    opened by lftbrts 3
  • I get the error.

    I get the error.

    Symfony\Component\Debug\Exception\FatalErrorException …/­vendor/­graham-campbell/­security/­src/­GrahamCampbell/­Security/­Classes/­Security.php106

    syntax error, unexpected ')'

    php version: 5.4.17.

    Please fix it .

    opened by crossmaya 3
  • Incorrect behaviour, if no config provided

    Incorrect behaviour, if no config provided

    PHP version: 8.0.9

    Description If the project doesn't have a security config, false positives are happening in some cases. For example the string 'attribute1 <= 1 and attribute2 = 2' becomes 'attribute1 <= 1 and attribute2 '

    How to reproduce If the project doesn't have a security config, then a value from vendor/graham-campbell/security/config/security.php:26 is used. A small example, which emulates this situation.

            $query = 'attribute1 <= 1 and attribute2 = 2';
        $security = Security::create([
            'attributes' => null,
            'tags'       => null,
        ]);
        $cleanQuery= $security->clean($query);

        var_dump(html_entity_decode($cleanQuery));  // string(31) "attribute1 <= 1 and attribute2 "
        var_dump($query === html_entity_decode($cleanQuery));  // bool(false)
    opened by abelharisov 2
  • Package usage

    Package usage

    Hi,

    I don't understand how to use this package. i have installed, but i don't know where to use security facade, website link not working https://gjcampbell.co.uk/

    Please guide me how to use this package.

    Thanks,

    opened by Nagraj137 2
  • Update package to support Laravel 5.6

    Update package to support Laravel 5.6

    • Update Travis conf to add tests for versions 7.1 and 7.2 of PHP
    • Update README
    • Update Laravel version in composer conf
    • Update PHPUnit in composer conf to support 6.5 and 7.0
    opened by XavRsl 2
  • PHP 5.4

    PHP 5.4

    Hello Graham,

    I am trying to use your class under php 5.4, but i see in the composer.json file that you require php 5.5

    Is php 5.5 really necessary as requirement?

    I cannot install the lib with php 5.4. It gives me the following error on composer install

      Problem 1
    - graham-campbell/security v3.1.0 requires php >=5.5.9 -> your PHP version (5.4.22) does not satisfy that requirement.
    - graham-campbell/security 3.1.x-dev requires php >=5.5.9 -> your PHP version (5.4.22) does not satisfy that requirement.
    - Installation request for graham-campbell/security ~3.1 -> satisfiable by graham-campbell/security[3.1.x-dev, v3.1.0].

    I manually downloaded the Security.php file from https://github.com/GrahamCampbell/Laravel-Security/blob/master/src/Security.php and its working fine on php 5.4

    If php 5.5 is not really required, can you reduce the version to 5.4, so i can include this as dependency in my composer.json

    Cheers :)

    opened by peter-mw 2
Releases(v10.0.0)
Owner
Graham Campbell
OSS Maintainer | Laravel | StyleCI
Graham Campbell
GitHub https://gjcampbell.co.uk
㊙️ AntiXSS | Protection against Cross-site scripting (XSS) via PHP

㊙️ AntiXSS "Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inje

Lars Moelleken 570 Dec 16, 2022
XSS, CSRF, SQLi, RFI attacks/defences in eClass site.

Open eClass 2.3 Disclaimer This repository contained a vulnerable version of eclass (check very first commit for initial version, if you want to exper

Vissarion Moutafis 10 Feb 14, 2022
Test a method against a list of XSS known.

php-xss-tests Test a method against a list of XSS known. How to run Just execute "run.sh", it will start a docker container to do all stuff. How I kno

null 1 Oct 25, 2021
A multitool library offering access to recommended security related libraries, standardised implementations of security defences, and secure implementations of commonly performed tasks.

SecurityMultiTool A multitool library offering access to recommended security related libraries, standardised implementations of security defences, an

Pádraic Brady 131 Oct 30, 2022
SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.

About SecLists SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected i

Daniel Miessler 44.1k Jan 7, 2023
phpcs-security-audit is a set of PHP_CodeSniffer rules that finds vulnerabilities and weaknesses related to security in PHP code

phpcs-security-audit is a set of PHP_CodeSniffer rules that finds vulnerabilities and weaknesses related to security in PHP code.

Floe design + technologies 654 Dec 28, 2022
The Security component provides a complete security system for your web application.

Security Component The Security component provides a complete security system for your web application. It ships with facilities for authenticating us

Symfony 1.2k Jan 1, 2023
Ransomware with automatic Coinbase Commerce integration created in C# (Console) and PHP

AWare — C# Ransomware Ransomware with automatic Coinbase Commerce integration created in C# (Console) and PHP PD: AWare is just a proof of concept, wi

in the space 26 Sep 16, 2022
The OWASP ZAP core project

OWASP ZAP The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by a dedicated internatio

OWASP ZAP 10.3k Jan 5, 2023
This repository contains the sources of OXID eShop Community Edition Core Component.

OXID eShop This repository contains the sources of OXID eShop Community Edition Core Component. About OXID eShop: OXID eShop is a flexible open source

OXID eSales AG 209 Dec 14, 2022
PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application

PHPIDS PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web ap

null 752 Jan 3, 2023
Windows and macOS Hardening Interface to make security more accessible.

Welcome to the Hardening Interface Introduction To use HardeningKitty service more easily, we have created an interface which permits better understan

ataumo 24 Dec 5, 2022
Security CSRF (cross-site request forgery) component provides a class CsrfTokenManager for generating and validating CSRF tokens.

Security Component - CSRF The Security CSRF (cross-site request forgery) component provides a class CsrfTokenManager for generating and validating CSR

Symfony 1.5k Jan 3, 2023
A database of PHP security advisories

PHP Security Advisories Database The PHP Security Advisories Database references known security vulnerabilities in various PHP projects and libraries.

null 1.9k Dec 18, 2022
A php.ini scanner for best security practices

Scanner for PHP.ini The Iniscan is a tool designed to scan the given php.ini file for common security practices and report back results. Currently it

psec.io 1.5k Dec 5, 2022
Security provides an infrastructure for sophisticated authorization systems, which makes it possible to easily separate the actual authorization logic from so called user providers that hold the users credentials. It is inspired by the Java Spring framework.

Security Component - Core Security provides an infrastructure for sophisticated authorization systems, which makes it possible to easily separate the

Symfony 1.6k Jan 1, 2023
Security provides an infrastructure for sophisticated authorization systems, which makes it possible to easily separate the actual authorization logic from so called user providers that hold the users credentials.

Security provides an infrastructure for sophisticated authorization systems, which makes it possible to easily separate the actual authorization logic from so called user providers that hold the users credentials. It is inspired by the Java Spring framework.

Symfony 1.5k Dec 28, 2022
FunboxEasy - Proving Grounds - Offensive Security

FunboxEasy - Proving Grounds - Offensive Security

Hafiizh Ghulam 1 Oct 28, 2021
Php Security Class

Security Advanced Security Class for Php Features Secure From XSS, CSRF, SQL Injection, BASE64, RFI, LFI, Command Injection, Block Suspicious Request

Ömer Faruk Demirel 5 Dec 2, 2022