Integrate Htmlpurifier with Purifier expansion pack in Laravel 5 to prevent XSS cross-site attacks

1. Installation

Htmlpurifier is a rich text HTML filter written in PHP, usually we can use it to prevent XSS cross-site attacks, more information about Htmlpurifier please refer to its official website: http://htmlpurifier.org/. Purifier is an expansion pack that integrates htmlpurifier in Laravel 5, and we can install this extension package through Composer:

Composer require Mews/purifier

After the installation is complete, register the Htmlpurifier service provider in the providers of the configuration file config/app.php:

' Providers ' = [    //...    ] Mews\purifier\purifierserviceprovider::class,]

Then register the purifier façade in the aliases:

' Aliases ' = [    //...    ] Purifier ' = Mews\purifier\facades\purifier::class,]

2. Configuration

To use a custom configuration, publish the configuration file to the Config directory:

PHP Artisan Vendor:publish

This will generate a purifier.php file in the Config directory:

return [    ' encoding ' = ' UTF-8 ',    ' finalize ' = = True,    ' preload '  = False,    ' cachepath ' = > null,    ' settings ' = [        ' default ' = = '            HTML. Doctype ' +             ' XHTML 1.0 Strict ',            ' HTML. Allowed '             = ' div,b,strong,i,em,a[href|title],ul,ol,li,p[style],br,span[style],img[width|height|alt|src] ',            ' CSS. Allowedproperties '    = ' and ' Font,font-size,font-weight,font-style,font-family,text-decoration,padding-left, Color,background-color,text-align ',            ' autoformat.autoparagraph ' =-true,            ' Autoformat.removeempty '   = True        ],        ' test ' = [            ' attr.enableid ' = ' = True        ],        ' youtube ' = [            ' Html. Safeiframe "= ' true ',            " URI. Safeiframeregexp "="%^ (http://|https://|//) (www.youtube.com/embed/|player.vimeo.com/video/)% ",        ],    ],];

3. Examples of Use

You can use the auxiliary function clean:

Clean (input::get (' InputName '));

Or use the Clean method provided by the purifier façade:

Purifier::clean (Input::get (' InputName '));

You can also configure it dynamically in your app:

Clean (' It is my H1 title ', ' titles '), and clean (' This is my H1 title ', Array (' attr.enableid ' = true));

Or you can also use the method provided by the purifier façade:

Purifier::clean (' This is my H1 title ', ' titles '); Purifier::clean (' This is my H1 title ', Array (' attr.enableid ' = true));

