Laravel 5 Example of preventing XSS cross-site attacks

1, installation

Htmlpurifier is a rich text HTML filter based on PHP that we can use to prevent XSS cross-site attacks, and for more information on Htmlpurifier, please refer to its official website: http://htmlpurifier.org/. Purifier is an expansion pack that integrates htmlpurifier in Laravel 5, and we can install this expansion pack through Composer:

Composer require Mews/purifier

After the installation is complete, register the Htmlpurifier service provider in the providers of the profile config/app.php:

' Providers ' => [
// ...
Mews\purifier\purifierserviceprovider::class,
]
Then register the purifier façade in the aliases:

' Aliases ' => [
// ...
' Purifier ' => mews\purifier\facades\purifier::class,
]

2, configuration

To use a custom configuration, publish the configuration file to the Config directory:

PHP Artisan Vendor:publish
This will generate a purifier.php file in the Config directory:

return [

' Encoding ' => ' UTF-8 ',
' Finalize ' => true,
' Preload ' => false,
' CachePath ' => null,
' Settings ' => [
' Default ' => [
' HTML. Doctype ' => ' XHTML 1.0 Strict ',
' HTML. Allowed ' => ' div,b,strong,i,em,a[href|title],ul,ol,li,p[style],br,span[style],img[width|height|alt|src] ',
' CSS. Allowedproperties ' => ' Font,font-size,font-weight,font-style,font-family,text-decoration,padding-left,color, Background-color,text-align ',
' Autoformat.autoparagraph ' => true,
' Autoformat.removeempty ' => true
],
' Test ' => [
' Attr.enableid ' => true
],
"YouTube" => [
"HTML. Safeiframe "=> ' true",
"URI. Safeiframeregexp "=>"%^ (http://|https://|//) (www.youtube.com/embed/|player.vimeo.com/video/)% ",
],
],

];

3, using the example

You can use the Accessibility function clean:

Clean (input::get (' InputName '));

Or use the Clean method provided by the purifier façade:

Purifier::clean (Input::get (' InputName '));

You can also dynamically configure in your application:

Clean (' It is my H1 title ', ' titles ');
Clean (' It is my H1 title ', Array (' Attr.enableid ' => true));

Or you can use the purifier façade to provide the method:

Purifier::clean (' This are my H1 title ', ' titles ');
Purifier::clean (' This are my H1 title ', Array (' Attr.enableid ' => true));

PHP prevents XSS attacks

? Php

Function Clean_xss (& $string, $low = False)
{
if (! Is_array ($string))
{
$string = Trim ($string);
$string = Strip_tags ($string);
$string = Htmlspecialchars ($string);
if ($low)
{
return True;
}
$string = str_replace (Array (' "", "\ \", "'", "/", "...", ",".) /","./","//"),", $string);
$no = '/%0[0-8bcef]/';
$string = Preg_replace ($no, ', $string);
$no = '/%1[0-9a-f]/';
$string = Preg_replace ($no, ', $string);
$no = '/[\x00-\x08\x0b\x0c\x0e-\x1f\x7f]+/s ';
$string = Preg_replace ($no, ', $string);
return True;
}
$keys = Array_keys ($string);
foreach ($keys as $key)
{
CLEAN_XSS ($string [$key]);
}
}
Just a test
$str = ' 111cn.net<meta http-equiv= "refresh" content= "0;" > ';
CLEAN_XSS ($STR); If you comment this out, you know the XSS attack is awesome.
Echo $str;
?>