Skip to content
Custom blade directives to figth against XSS
PHP
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
config Initial commit Dec 25, 2016
src/Providers Initial commit Dec 25, 2016
.gitignore
LICENSE
README.md
composer.json Initial commit Dec 25, 2016

README.md

Blade Escape - fight against XSS

Blade Escape is a service provider that extends Blade directives and allows use Laragems\Escape library.

<div style="background-color: @css($color);">
    <label>@text($label)</label>
    <input type="text" name="custom" value="@attr($value)"/>
</div>
<a href="/profile?u=@param($username)">Profile</a>
<button onclick="callMyFunction('@js($username)');">Validate</button>
<script>
    var username = "@js($username)";
</script>

Installation

composer require laravelgems/blade-escape

After that add service provider to a config\app.php

        /*
         * Package Service Providers...
         */
         ...
         LaravelGems\BladeEscape\Providers\BladeEscapeServiceProvider::class,
         ...

HTML - @text($variable), safe

<p>@text($resume)</p>
<div>@text($bio)</div>

HTML Attribute - @attr(@variable), safe when following rules

Attribute's value should be quoted. For usage with whitelist attributes: align, alink, alt, bgcolor, border, cellpadding, cellspacing, class, color, cols, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight, marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan, scrolling, shape, span, summary, tabindex, title, usemap, valign, value, vlink, vspace, width

<input type="text" value="@attr($variable)"/>
<img src="image.png" alt="@attr($variable)"/>

URL Parameter - @param($variable), safe

<a href="search?keyword=@param($variable)">Click Me</a>

Javascript Parameter - @js($variable), safe when following rules

Value should be quoted. Avoid using dangerous functions (eval and so on), example - setTimeout("@js($variable)") (can be hacked!)

<script>
    var username = "@js($variable)";
</script>
<a href="#" onclick="displayDialog('@js($title)');">Click</a>

CSS - @css($variable), safe when following rules

Surrounded by quotes. Avoid complex properties like url, behavior and custom (-moz-binding). Do not put untrusted data into IE's expression property value

<style>
    .article { background-color: '@css($color)';}
</style>
<span style="width: '@css($width)';"></span>

Must Read: QWASP - XSS Prevention Cheat Sheet

You don't like the names of directives. Ok, just change them in a published config.

You can’t perform that action at this time.