Skip to content
A wrapper of voku/anti-xss for Laravel
Branch: master
Clone or download

Latest commit

Fetching latest commit…
Cannot retrieve the latest commit at this time.


Type Name Latest commit message Commit time
Failed to load latest commit information.
.github Merge branch '7.1' Apr 14, 2020
config Switch to security core v2 Dec 8, 2019
src Switch to security core v2 Dec 8, 2019
tests Switch to security core v2 Dec 8, 2019
.gitattributes Switched to actions Apr 14, 2020
.gitignore Laravel 7 Jan 25, 2020 Release 8.0.2 Apr 14, 2020
LICENSE Merge branch '7.1' Apr 14, 2020
composer.json Update composer.json Mar 1, 2020
phpunit.xml.dist Updated phpunit config Feb 5, 2016

Laravel Security

Laravel Security was created by, and is maintained by Graham Campbell, and is a voku/anti-xss wrapper for Laravel, using graham-campbell/security-core. Feel free to check out the change log, releases, security policy, license, code of conduct, and contribution guidelines.


StyleCI Status Build Status Coverage Status Quality Score Software License Latest Version


Laravel Security requires PHP 7.2-7.4. This particular version supports Laravel 6-7.

Security L5.1 L5.2 L5.3 L5.4 L5.5 L5.6 L5.7 L5.8 L6 L7

To get the latest version, simply require the project using Composer:

$ composer require graham-campbell/security

Once installed, if you are not using automatic package discovery, then you need to register the GrahamCampbell\Security\SecurityServiceProvider service provider in your config/app.php.

You can also optionally alias our facade:

        'Security' => GrahamCampbell\Security\Facades\Security::class,


Laravel Security supports optional configuration.

To get started, you'll need to publish all vendor assets:

$ php artisan vendor:publish

This will create a config/security.php file in your app that you can modify to set your configuration. Also, make sure you check for changes to the original config file in this package between releases.

There are two config options:

Evil attributes

This option ('evil') defines the evil attributes, which will always be stripped from the input.

Replacement string

This option ('replacement') defines the replacement string, which will be used to take the place of removed portions of strings where XSS was present.



This is the class of most interest. It is bound to the ioc container as 'security' and can be accessed using the Facades\Security facade. There is one public method of interest.

The 'clean' method will parse a string removing XSS vulnerabilities, on a best effort basis.


This facade will dynamically pass static method calls to the 'security' object in the ioc container which by default is the Security class.


This class contains no public methods of interest. This class should be added to the providers array in config/app.php. This class will setup ioc bindings.

Further Information

You may see an example of implementation in Laravel Binput.


If you discover a security vulnerability within this package, please send an email to Graham Campbell at All security vulnerabilities will be promptly addressed. You may view our full security policy here.


Laravel Security is licensed under The MIT License (MIT).

For Enterprise

Available as part of the Tidelift Subscription

The maintainers of graham-campbell/security and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open source dependencies you use to build your applications. Save time, reduce risk, and improve code health, while paying the maintainers of the exact dependencies you use. Learn more.

You can’t perform that action at this time.