Laravel Security was created by, and is maintained by Graham Campbell, and is a voku/anti-xss wrapper for Laravel, using graham-campbell/security-core. Feel free to check out the change log, releases, security policy, license, code of conduct, and contribution guidelines.
This version requires PHP 8.0-8.3 and supports Laravel 9-11.
Security | L5.5 | L5.6 | L5.7 | L5.8 | L6 | L7 | L8 | L9 | L10 | L11 |
---|---|---|---|---|---|---|---|---|---|---|
5.1 | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
6.2 | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
7.1 | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
8.0 | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
9.1 | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
10.0 | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ |
11.2 | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ |
To get the latest version, simply require the project using Composer:
$ composer require "graham-campbell/security:^11.2"
Once installed, if you are not using automatic package discovery, then you need to register the GrahamCampbell\Security\SecurityServiceProvider
service provider in your config/app.php
.
You can also optionally alias our facade:
'Security' => GrahamCampbell\Security\Facades\Security::class,
Laravel Security supports optional configuration.
To get started, you'll need to publish all vendor assets:
$ php artisan vendor:publish
This will create a config/security.php
file in your app that you can modify to set your configuration. Also, make sure you check for changes to the original config file in this package between releases.
There are two config options:
This option ('evil'
) defines the evil attributes and tags, which will always be stripped from the input.
This option ('replacement'
) defines the replacement string, which will be used to take the place of removed portions of strings where XSS was present.
This is the class of most interest. It is bound to the ioc container as 'security'
and can be accessed using the Facades\Security
facade. There is one public method of interest.
The 'clean'
method will parse a string removing XSS vulnerabilities, on a best effort basis.
This facade will dynamically pass static method calls to the 'security'
object in the ioc container which by default is the Security
class.
This class contains no public methods of interest. This class should be added to the providers array in config/app.php
. This class will setup ioc bindings.
You may see an example of implementation in Laravel Binput.
If you discover a security vulnerability within this package, please send an email to security@tidelift.com. All security vulnerabilities will be promptly addressed. You may view our full security policy here.
Laravel Security is licensed under The MIT License (MIT).
Available as part of the Tidelift Subscription
The maintainers of graham-campbell/security
and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open source dependencies you use to build your applications. Save time, reduce risk, and improve code health, while paying the maintainers of the exact dependencies you use. Learn more.