A wrapper of voku/anti-xss for Laravel

Overview

Laravel Security

Laravel Security was created by, and is maintained by Graham Campbell, and is a voku/anti-xss wrapper for Laravel, using graham-campbell/security-core. Feel free to check out the change log, releases, security policy, license, code of conduct, and contribution guidelines.

Banner

Build Status StyleCI Status Software License Packagist Downloads Latest Version

Installation

Laravel Security requires PHP 7.2-8.1. This particular version supports Laravel 6-9.

Security L5.1 L5.2 L5.3 L5.4 L5.5 L5.6 L5.7 L5.8 L6 L7 L8 L9
3.7
4.0
5.1
6.2
7.1
8.0
9.1

To get the latest version, simply require the project using Composer:

$ composer require "graham-campbell/security:^9.1"

Once installed, if you are not using automatic package discovery, then you need to register the GrahamCampbell\Security\SecurityServiceProvider service provider in your config/app.php.

You can also optionally alias our facade:

        'Security' => GrahamCampbell\Security\Facades\Security::class,

Configuration

Laravel Security supports optional configuration.

To get started, you'll need to publish all vendor assets:

$ php artisan vendor:publish

This will create a config/security.php file in your app that you can modify to set your configuration. Also, make sure you check for changes to the original config file in this package between releases.

There are two config options:

Evil configuration

This option ('evil') defines the evil attributes and tags, which will always be stripped from the input.

Replacement string

This option ('replacement') defines the replacement string, which will be used to take the place of removed portions of strings where XSS was present.

Usage

Security

This is the class of most interest. It is bound to the ioc container as 'security' and can be accessed using the Facades\Security facade. There is one public method of interest.

The 'clean' method will parse a string removing XSS vulnerabilities, on a best effort basis.

Facades\Security

This facade will dynamically pass static method calls to the 'security' object in the ioc container which by default is the Security class.

SecurityServiceProvider

This class contains no public methods of interest. This class should be added to the providers array in config/app.php. This class will setup ioc bindings.

Further Information

You may see an example of implementation in Laravel Binput.

Security

If you discover a security vulnerability within this package, please send an email to [email protected]. All security vulnerabilities will be promptly addressed. You may view our full security policy here.

License

Laravel Security is licensed under The MIT License (MIT).

For Enterprise

Available as part of the Tidelift Subscription

The maintainers of graham-campbell/security and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open source dependencies you use to build your applications. Save time, reduce risk, and improve code health, while paying the maintainers of the exact dependencies you use. Learn more.

Comments
  • Vulnerabilities And Demo

    Vulnerabilities And Demo

    Hi,

    Recently, I worked with CodeIgniter's guys and we have added some changes in the CodeIgniter's xss_clean function. I found some bypasses and support has been added plus addition of some new naughty elements.

    The details can be found here: https://github.com/EllisLab/CodeIgniter/issues/2667

    Would you also please upgrade this Laravel-Security port? Thanks!

    bug priority 
    opened by soaj1664 95
  • [Proposal] Support For Other Encodings Besides UF8

    [Proposal] Support For Other Encodings Besides UF8

    It won't save a copy pasted doc it just saves blank I have to convert to utf8 for it to save, thus stripping most of the formatting. Let me know if I could help any further.

    bug enhancement 
    opened by ericmuigai 24
  • Evil attributes customization.

    Evil attributes customization.

    This change allows definition of which attributes should be considered evil and which not.

    You have to publish configuration file in order to customize tag list.

    enhancement 
    opened by is-ma-el 6
  • please show example of usage

    please show example of usage

    dear @GrahamCampbell i install package with composer , do it automatically add xss security in my app ? or need aditional work ? composer require graham-campbell/security

    opened by vahidalvandi 5
  • using percentages in text breaks the clean method

    using percentages in text breaks the clean method

    Hi Graham,

    I've noticed that something seems to be broken with the parsing of % signs in text. I think this bug was introduced the last time you synced your package with codeIgniter.

    Input: 100% received Expected: 100% received Actual: 100%received

    Input: 100% better Expected: 100% better Actual: 100¾tter

    It seems that because on line 103 spaces are removed from the input when a % sign is present in the string, 100% better => the urlDecodeSpaces method receives % be, and this gets converted to %be, and then converted by rawurldecode to ¾

    I'm not sure what this part of the code is actually supposed to be doing so sadly I can't think of any way to fix it short of commenting it out.

    opened by Zae 3
  • Question/Enhancement: Allow NULL value in Security::process()

    Question/Enhancement: Allow NULL value in Security::process()

    Argument 1 passed to GrahamCampbellSecuritySecurity::process() must be of the type string, null given, called in /var/www/umb2b/vendor/graham-campbell/security/src/Security.php on line 82 The middleware Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull (Laravel 5.5) converts empty strings to NULL values. This forces you to define (sometimes messy) exceptions using Request::except() in order to use Security::*. Is there a need for the type-hint string in process()?

    opened by lftbrts 3
  • I get the error.

    I get the error.

    Symfony\Component\Debug\Exception\FatalErrorException …/­vendor/­graham-campbell/­security/­src/­GrahamCampbell/­Security/­Classes/­Security.php106

    syntax error, unexpected ')'

    php version: 5.4.17.

    Please fix it .

    opened by crossmaya 3
  • Incorrect behaviour, if no config provided

    Incorrect behaviour, if no config provided

    PHP version: 8.0.9

    Description If the project doesn't have a security config, false positives are happening in some cases. For example the string 'attribute1 <= 1 and attribute2 = 2' becomes 'attribute1 <= 1 and attribute2 '

    How to reproduce If the project doesn't have a security config, then a value from vendor/graham-campbell/security/config/security.php:26 is used. A small example, which emulates this situation.

            $query = 'attribute1 <= 1 and attribute2 = 2';
            $security = Security::create([
                'attributes' => null,
                'tags'       => null,
            ]);
            $cleanQuery= $security->clean($query);
    
            var_dump(html_entity_decode($cleanQuery));  // string(31) "attribute1 <= 1 and attribute2 "
            var_dump($query === html_entity_decode($cleanQuery));  // bool(false)
    
    opened by abelharisov 2
  • Package usage

    Package usage

    Hi,

    I don't understand how to use this package. i have installed, but i don't know where to use security facade, website link not working https://gjcampbell.co.uk/

    Please guide me how to use this package.

    Thanks,

    opened by Nagraj137 2
  • Update package to support Laravel 5.6

    Update package to support Laravel 5.6

    • Update Travis conf to add tests for versions 7.1 and 7.2 of PHP
    • Update README
    • Update Laravel version in composer conf
    • Update PHPUnit in composer conf to support 6.5 and 7.0
    opened by XavRsl 2
  • PHP 5.4

    PHP 5.4

    Hello Graham,

    I am trying to use your class under php 5.4, but i see in the composer.json file that you require php 5.5

    Is php 5.5 really necessary as requirement?

    I cannot install the lib with php 5.4. It gives me the following error on composer install

      Problem 1
        - graham-campbell/security v3.1.0 requires php >=5.5.9 -> your PHP version (5.4.22) does not satisfy that requirement.
        - graham-campbell/security 3.1.x-dev requires php >=5.5.9 -> your PHP version (5.4.22) does not satisfy that requirement.
        - Installation request for graham-campbell/security ~3.1 -> satisfiable by graham-campbell/security[3.1.x-dev, v3.1.0].
    

    I manually downloaded the Security.php file from https://github.com/GrahamCampbell/Laravel-Security/blob/master/src/Security.php and its working fine on php 5.4

    If php 5.5 is not really required, can you reduce the version to 5.4, so i can include this as dependency in my composer.json

    Cheers :)

    opened by peter-mw 2
Releases(v10.0.0)
Owner
Graham Campbell
OSS Maintainer | Laravel Core | StyleCI
Graham Campbell
A Laravel Wrapper for the CoinDCX API. Now easily connect and consume the CoinDCX Public API in your Laravel apps without any hassle.

This package provides a Laravel Wrapper for the CoinDCX API and allows you to easily communicate with it. Important Note This package is in early deve

Moinuddin S. Khaja 2 Feb 16, 2022
A CommonMark wrapper for Laravel

Laravel Markdown Laravel Markdown was created by, and is maintained by Graham Campbell, and is a CommonMark wrapper for Laravel. It ships with integra

Graham Campbell 1.2k Jan 2, 2023
Laravel wrapper package for the Aimon.it API

Laravel Aimon Package A laravel wrapper package for the Aimon.it API. For more information see Aimon Requirements Laravel 6 or later Installation Inst

Ruslan 3 Aug 7, 2022
PayuMoney Gateway wrapper for Laravel.

PayuMoney Integration with Laravel Easy to use integration for PayUMoney into Laravel apps. Video Tutorial Usage composer require infyomlabs/laravel-p

InfyOmLabs (InfyOm Technologies) 10 Nov 29, 2022
A Laravel wrapper for spatie/dns. Allows to query and validate DNS records.

A Laravel wrapper for spatie/dns. Allows to query and validate DNS records.

Astrotomic 22 Nov 17, 2022
Laravel API wrapper to interact fluently with your Janus Media Server

Laravel API wrapper to interact fluently with your Janus Media Server. Core server interactions, as well as the video room plugin included.

Richard  Tippin 11 Aug 21, 2022
A laravel wrapper for BnpParibas Mercanet payment gateway

Laravel Mercanet A laravel wrapper for BnpParibas Mercanet which provide a lightweight public api to process your online payments from your laravel ap

Mouad ZIANI 29 Nov 27, 2022
Open Food Facts API wrapper for Laravel

Laravel Open Food Facts API This package provides a convenient wrapper to the Open Food Facts API for Laravel applications (5.7+). Installation You ca

Open Food Facts 112 Jan 4, 2023
a Google API v3 wrapper for Laravel 4.x

A Google API v3 wrapper for Laravel 4 This package enables a Laravel flavoured way to manage Google services through its API interface (v3) Installati

null 4 Nov 29, 2022
27Laracurl Laravel wrapper package for PHP cURL class that provides OOP interface to cURL. [10/27/2015] View Details

Laracurl Laravel cURL Wrapper for Andreas Lutro's OOP cURL Class Installation To install the package, simply add the following to your Laravel install

zjango 8 Sep 9, 2018
Laravel wrapper for Sentry Official API

Laravel Sentry API Provides a simple laravel wrapper to some of the endpoints listed on (Official Sentry API)[https://docs.sentry.io/api/]. **Note: Th

Pedro Santiago 1 Nov 1, 2021
A wrapper package to run mysqldump from laravel console commands.

A wrapper package to run mysqldump from laravel console commands.

Yada Khov 24 Jun 24, 2022
Laravel wrapper for the Gmail API

Laravel Gmail Gmail Gmail API for Laravel 8 You need to create an application in the Google Console. Guidance here. if you need Laravel 5 compatibilit

Daniel Castro 244 Jan 3, 2023
Simple and ready to use API response wrapper for Laravel.

Laravel API Response Simple Laravel API response wrapper. Installation Install the package through composer: $ composer require obiefy/api-response Re

Obay Hamed 155 Dec 14, 2022
Laravel wrapper for zendesk/zendesk_api_client_php package.

Laravel Zendesk This package provides integration with the Zendesk API. It supports creating tickets, retrieving and updating tickets, deleting ticket

Huddle Digital 97 Dec 22, 2022
A DOMPDF Wrapper for Laravel

DOMPDF Wrapper for Laravel Laravel wrapper for Dompdf HTML to PDF Converter Require this package in your composer.json and update composer. This will

Barry vd. Heuvel 5.6k Dec 25, 2022
A Laravel wrapper for apex charts

Larapex Charts A Laravel wrapper for apex charts library Check the documentation on: Larapex Chart Docs. Installation Use composer. composer require a

ArielMejiaDev 189 Dec 26, 2022
Laravel SoapClient Wrapper

Laravel SoapClient Wrapper A SoapClient wrapper integration for Laravel. Makes it easy to use Soap in a Laravel application. Please report any bugs or

Michael v/d Rijt 618 Dec 12, 2022
A Laravel wrapper for healthchecks.io

Healthchecks.io is a service that monitors your cron jobs and alerts you when they are down. This package is a wrapper for the Healthchecks.io API.

Robin Martijn 4 Nov 7, 2022