Merge pull request #7 from laravel-shift/l11-compatibility

Laravel 11.x Compatibility

.github/workflows/run-tests.yml

@@ -2,23 +2,28 @@ name: run-tests
 
 on:
   push:
-    branches: [main]
+    branches:
+      - main
   pull_request:
-    branches: [main]
+    branches:
+      - main
 
 jobs:
   test:
     runs-on: ${{ matrix.os }}
+
     strategy:
       fail-fast: true
       matrix:
         os: [ubuntu-latest]
-        php: [8.3, 8.2, 8.1]
-        laravel: [10.*]
+        php: [8.3, 8.2]
+        laravel: ["10.*", "11.*"]
         stability: [prefer-lowest, prefer-stable]
         include:
           - laravel: 10.*
             testbench: ^8.0
+          - laravel: 11.*
+            testbench: ^9.0
 
     name: P${{ matrix.php }} - L${{ matrix.laravel }} - ${{ matrix.stability }} - ${{ matrix.os }}
 

README.md

@@ -6,8 +6,8 @@
 
 Laravel Middleware to protect your app against Cross-site scripting (XSS). It sanitizes request input by utilising the [Laravel Security](https://github.com/GrahamCampbell/Laravel-Security) package, and it can sanatize [Blade echo statements](https://laravel.com/docs/8.x/blade#displaying-data) as well.
 
-* PHP 8.1 and higher
-* Laravel 10
+* PHP 8.2 and higher
+* Laravel 10 and higher
 
 ## Sponsor this package!
 
@@ -108,6 +108,21 @@ Event::listen(function (MaliciousInputFound $event) {
 });
 ```
 
+### Additional configuration for `voku/anti-xss`
+
+As of version 1.6.0, you may provide additional configuration for the `voku/anti-xss` package. You may do this by filling the `middleware.anti_xss` key. This is similar to the [Laravel Security](https://github.com/GrahamCampbell/Laravel-Security) package, which this package used to rely on.
+
+```php
+'anti_xss' => [
+    'evil' => [
+        'attributes' => ['href'],
+        'tags' => ['video'],
+    ],
+
+    'replacement' => '*redacted*',
+]
+```
+
 ## Changelog
 
 Please see [CHANGELOG](CHANGELOG.md) for more information about what has changed recently.
@@ -124,17 +139,15 @@ Please see [CONTRIBUTING](CONTRIBUTING.md) for details.
 
 ## Other Laravel packages
 
-* [`Laravel Analytics Event Tracking`](https://github.com/protonemedia/laravel-analytics-event-tracking): Laravel package to easily send events to Google Analytics.
 * [`Laravel Blade On Demand`](https://github.com/protonemedia/laravel-blade-on-demand): Laravel package to compile Blade templates in memory.
 * [`Laravel Cross Eloquent Search`](https://github.com/protonemedia/laravel-cross-eloquent-search): Laravel package to search through multiple Eloquent models.
 * [`Laravel Eloquent Scope as Select`](https://github.com/protonemedia/laravel-eloquent-scope-as-select): Stop duplicating your Eloquent query scopes and constraints in PHP. This package lets you re-use your query scopes and constraints by adding them as a subquery.
-* [`Laravel Eloquent Where Not`](https://github.com/protonemedia/laravel-eloquent-where-not): This Laravel package allows you to flip/invert an Eloquent scope, or really any query constraint.
-* [`Laravel FFMpeg`](https://github.com/protonemedia/laravel-ffmpeg): This package provides integration with FFmpeg for Laravel. The storage of the files is handled by Laravel's Filesystem.
-* [`Laravel Form Components`](https://github.com/protonemedia/laravel-form-components): Blade components to rapidly build forms with Tailwind CSS Custom Forms and Bootstrap 4. Supports validation, model binding, default values, translations, includes default vendor styling and fully customizable!
+* [`Laravel FFMpeg`](https://github.com/protonemedia/laravel-ffmpeg): This package provides an integration with FFmpeg for Laravel. The storage of the files is handled by Laravel's Filesystem.
+* [`Laravel MinIO Testing Tools`](https://github.com/protonemedia/laravel-minio-testing-tools): Run your tests against a MinIO S3 server.
 * [`Laravel Mixins`](https://github.com/protonemedia/laravel-mixins): A collection of Laravel goodies.
 * [`Laravel Paddle`](https://github.com/protonemedia/laravel-paddle): Paddle.com API integration for Laravel with support for webhooks/events.
+* [`Laravel Task Runner`](https://github.com/protonemedia/laravel-task-runner): Write Shell scripts like Blade Components and run them locally or on a remote server.
 * [`Laravel Verify New Email`](https://github.com/protonemedia/laravel-verify-new-email): This package adds support for verifying new email addresses: when a user updates its email address, it won't replace the old one until the new one is verified.
-* [`Laravel WebDAV`](https://github.com/protonemedia/laravel-webdav): WebDAV driver for Laravel's Filesystem.
 
 ## Security
 

composer.json

@@ -16,14 +16,15 @@
         }
     ],
     "require": {
-        "php": "^8.1|^8.2|^8.3",
-        "graham-campbell/security": "^11.0",
-        "illuminate/contracts": "^10.0",
+        "php": "^8.2|^8.3",
+        "graham-campbell/security-core": "^4.0",
+        "illuminate/contracts": "^10.0|^11.0",
         "spatie/laravel-package-tools": "^1.9.2"
     },
     "require-dev": {
-        "nunomaduro/collision": "^7.0",
-        "orchestra/testbench": "^8.0",
+        "laravel/pint": "^1.14",
+        "nunomaduro/collision": "^7.0|^8.0",
+        "orchestra/testbench": "^8.0|^9.0",
         "pestphp/pest": "^2.0",
         "pestphp/pest-plugin-laravel": "^2.0",
         "phpunit/phpunit": "^10.4"
@@ -58,4 +59,4 @@
     },
     "minimum-stability": "dev",
     "prefer-stable": true
-}
+}

config/xss-protection.php

@@ -18,4 +18,15 @@
 
         'dispatch_event_on_malicious_input' => false,
     ],
+
+    // Additional configuration for the underlying voku/anti-xss package
+    // See: https://github.com/GrahamCampbell/Laravel-Security/blob/11.1/config/security.php
+    'anti_xss' => [
+        'evil' => [
+            'attributes' => null,
+            'tags' => null,
+        ],
+
+        'replacement' => null,
+    ],
 ];

src/Events/MaliciousInputFound.php

@@ -10,7 +10,6 @@ public function __construct(
         public array $sanitizedKeys,
         public Request $originalRequest,
         public Request $sanitizedRequest
-    )
-    {
+    ) {
     }
 }

src/Middleware/XssCleanInput.php

@@ -11,20 +11,6 @@
 
 class XssCleanInput extends TransformsRequest
 {
-    /**
-     * The security instance.
-     *
-     * @var \GrahamCampbell\SecurityCore\Security
-     */
-    protected $security;
-
-    /**
-     * The Blade echo cleaner instance.
-     *
-     * @var \ProtoneMedia\LaravelXssProtection\Cleaners\BladeEchoes
-     */
-    protected $bladeEchoCleaner;
-
     /**
      * All of the registered skip callbacks.
      *
@@ -63,22 +49,20 @@ class XssCleanInput extends TransformsRequest
     /**
      * Create a new instance.
      *
-     * @param \GrahamCampbell\SecurityCore\Security $security
-     * @param \ProtoneMedia\LaravelXssProtection\Cleaners\BladeEchoes $bladeEchoCleaner
      *
      * @return void
      */
-    public function __construct(Security $security, BladeEchoes $bladeEchoCleaner)
-    {
-        $this->security         = $security;
-        $this->bladeEchoCleaner = $bladeEchoCleaner;
+    public function __construct(
+        protected Security $security,
+        protected BladeEchoes $bladeEchoCleaner
+    ) {
+        //
     }
 
     /**
      * Handle an incoming request.
      *
      * @param  \Illuminate\Http\Request  $request
-     * @param  \Closure  $next
      * @return mixed
      */
     public function handle($request, Closure $next)
@@ -149,7 +133,7 @@ protected function transform($key, $value)
 
         $output = $this->security->clean((string) $value);
 
-        if (!$this->enabledInConfig('allow_blade_echoes')) {
+        if (! $this->enabledInConfig('allow_blade_echoes')) {
             $output = $this->bladeEchoCleaner->clean((string) $output);
         }
 
@@ -165,8 +149,7 @@ protected function transform($key, $value)
     /**
      * Returns a boolean whether an option has been enabled.
      *
-     * @param string $key
-     * @return boolean
+     * @param  string  $key
      */
     private function enabledInConfig($key): bool
     {
@@ -176,7 +159,6 @@ private function enabledInConfig($key): bool
     /**
      * Register a callback that instructs the middleware to be skipped.
      *
-     * @param  \Closure  $callback
      * @return void
      */
     public static function skipWhen(Closure $callback)
@@ -187,7 +169,6 @@ public static function skipWhen(Closure $callback)
     /**
      * Register a callback that instructs the middleware to be skipped.
      *
-     * @param  \Closure  $callback
      * @return void
      */
     public static function skipKeyWhen(Closure $callback)

src/ServiceProvider.php

@@ -2,6 +2,7 @@
 
 namespace ProtoneMedia\LaravelXssProtection;
 
+use GrahamCampbell\SecurityCore\Security;
 use Spatie\LaravelPackageTools\Package;
 use Spatie\LaravelPackageTools\PackageServiceProvider;
 
@@ -18,4 +19,12 @@ public function configurePackage(Package $package): void
             ->name('laravel-xss-protection')
             ->hasConfigFile();
     }
+
+    public function packageBooted()
+    {
+        $this->app->singleton(Security::class, fn () => Security::create(
+            config('xss-protection.anti_xss.evil'),
+            config('xss-protection.anti_xss.replacement')
+        ));
+    }
 }

tests/MiddlewareTest.php

@@ -61,10 +61,10 @@
 
 it('doesnt interfere with booleans, numbers and null values', function () {
     $request = Request::createFromGlobals()->merge([
-        'yes'  => true,
-        'no'   => false,
-        'one'  => 1,
-        'pi'   => 3.14,
+        'yes' => true,
+        'no' => false,
+        'one' => 1,
+        'pi' => 3.14,
         'null' => null,
     ]);
 
@@ -143,11 +143,11 @@ class ExceptXssCleanInput extends XssCleanInput
     }
 
     $request = Request::createFromGlobals()->merge([
-        'key'   => 'test<script>script</script>',
+        'key' => 'test<script>script</script>',
         'allow' => 'test<script>script</script>',
 
         'nested' => [
-            'key'     => 'test<script>script</script>',
+            'key' => 'test<script>script</script>',
             'allowed' => 'test<script>script</script>',
         ],
     ]);
@@ -166,12 +166,12 @@ class ExceptXssCleanInput extends XssCleanInput
 it('can trim blade echoes', function () {
     $request = Request::createFromGlobals()->merge([
         'key' => 'test',
-        'a'   => '{{ $test }}',
-        'b'   => '{!! $test !!}',
-        'c'   => '{{{ $test }}}',
-        'd'   => 'd{{ $test }}',
-        'e'   => 'e{!! $test !!}',
-        'f'   => 'f{{{ $test }}}',
+        'a' => '{{ $test }}',
+        'b' => '{!! $test !!}',
+        'c' => '{{{ $test }}}',
+        'd' => 'd{{ $test }}',
+        'e' => 'e{!! $test !!}',
+        'f' => 'f{{{ $test }}}',
     ]);
 
     config(['xss-protection.middleware.completely_replace_malicious_input' => false]);
@@ -198,11 +198,11 @@ class ExceptXssCleanInput extends XssCleanInput
     });
 
     $request = Request::createFromGlobals()->merge([
-        'key'   => 'test<script>script</script>',
+        'key' => 'test<script>script</script>',
         'allow' => 'test<script>script</script>',
 
         'nested' => [
-            'key'     => 'test<script>script</script>',
+            'key' => 'test<script>script</script>',
             'allowed' => 'test<script>script</script>',
         ],
     ]);

tests/TestCase.php

@@ -13,7 +13,7 @@ protected function setUp(): void
         parent::setUp();
 
         Factory::guessFactoryNamesUsing(
-            fn (string $modelName) => 'ProtoneMedia\\LaravelXssProtection\\Database\\Factories\\' . class_basename($modelName) . 'Factory'
+            fn (string $modelName) => 'ProtoneMedia\\LaravelXssProtection\\Database\\Factories\\'.class_basename($modelName).'Factory'
         );
     }