Skip to content

GrahamCampbell/Laravel-Security

Repository files navigation

Laravel Security

Laravel Security was created by, and is maintained by Graham Campbell, and is a voku/anti-xss wrapper for Laravel, using graham-campbell/security-core. Feel free to check out the change log, releases, security policy, license, code of conduct, and contribution guidelines.

Banner

Build Status StyleCI Status Software License Packagist Downloads Latest Version

Installation

This version requires PHP 8.0-8.3 and supports Laravel 9-11.

Security L5.5 L5.6 L5.7 L5.8 L6 L7 L8 L9 L10 L11
5.1
6.2
7.1
8.0
9.1
10.0
11.2

To get the latest version, simply require the project using Composer:

$ composer require "graham-campbell/security:^11.2"

Once installed, if you are not using automatic package discovery, then you need to register the GrahamCampbell\Security\SecurityServiceProvider service provider in your config/app.php.

You can also optionally alias our facade:

        'Security' => GrahamCampbell\Security\Facades\Security::class,

Configuration

Laravel Security supports optional configuration.

To get started, you'll need to publish all vendor assets:

$ php artisan vendor:publish

This will create a config/security.php file in your app that you can modify to set your configuration. Also, make sure you check for changes to the original config file in this package between releases.

There are two config options:

Evil configuration

This option ('evil') defines the evil attributes and tags, which will always be stripped from the input.

Replacement string

This option ('replacement') defines the replacement string, which will be used to take the place of removed portions of strings where XSS was present.

Usage

Security

This is the class of most interest. It is bound to the ioc container as 'security' and can be accessed using the Facades\Security facade. There is one public method of interest.

The 'clean' method will parse a string removing XSS vulnerabilities, on a best effort basis.

Facades\Security

This facade will dynamically pass static method calls to the 'security' object in the ioc container which by default is the Security class.

SecurityServiceProvider

This class contains no public methods of interest. This class should be added to the providers array in config/app.php. This class will setup ioc bindings.

Further Information

You may see an example of implementation in Laravel Binput.

Security

If you discover a security vulnerability within this package, please send an email to security@tidelift.com. All security vulnerabilities will be promptly addressed. You may view our full security policy here.

License

Laravel Security is licensed under The MIT License (MIT).

For Enterprise

Available as part of the Tidelift Subscription

The maintainers of graham-campbell/security and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open source dependencies you use to build your applications. Save time, reduce risk, and improve code health, while paying the maintainers of the exact dependencies you use. Learn more.