Laravel 5 How to stop an XSS cross-site attack

This time to bring you Laravel 5 How to stop XSS cross-site attacks, Laravel 5 How to prevent XSS cross-site attack attention to what, the following is the actual case, take a look.

This paper describes the methods of preventing XSS from cross-site attack in Laravel5. Small series to share for everyone to refer to, the specific following:

The Laravel 5 itself does not have the ability to prevent XSS from cross-site attacks, but it can use the Purifier expansion pack integration Htmlpurifier to prevent XSS cross-site attacks.

1. Installation

Htmlpurifier is a rich text HTML filter written in PHP, usually we can use it to prevent XSS cross-site attacks, more information about Htmlpurifier please refer to its official website: http://htmlpurifier.org/. Purifier is an expansion pack that integrates htmlpurifier in Laravel 5, and we can install this extension package through Composer:

Composer require Mews/purifier

After the installation is complete, register the Htmlpurifier service provider in the providers of the configuration file config/app.php:

' Providers ' = [//...] Mewspurifierpurifierserviceprovider::class,] then register the purifier façade in aliases: ' aliases ' = [//...] ' Purifier ' = Mewspurifierfacadespurifier::class,]

2. Configuration

To use a custom configuration, publish the configuration file to the Config directory:

PHP Artisan Vendor:publish

This will generate a purifier.php file in the Config directory:

return [' Encoding ' = ' UTF-8 ', ' finalize ' = = True, ' preload ' = False, ' cachepath ' = null, ' Settings ' = [  ' Default ' = + [   ' HTML]. Doctype ' +    ' XHTML 1.0 Strict ',   ' HTML. Allowed '    = ' p,b,strong,i,em,a[href|title],ul,ol,li,p[style],br,span[style],img[width|height|alt|src] ',   ' CSS. Allowedproperties ' = ' and ' Font,font-size,font-weight,font-style,font-family,text-decoration,padding-left,color, Background-color,text-align ',   ' autoformat.autoparagraph ' = = True,   ' autoformat.removeempty ' = True  ],  ' test ' = [   ' attr.enableid ' = ' = True  ],  ' youtube ' and ' =   ' HTML. Safeiframe "= ' true ',   " URI. Safeiframeregexp "="%^ (http://|https://|//) (www.youtube.com/embed/|player.vimeo.com/video/)% ",  ],],];

3. Examples of Use

You can use the auxiliary function clean:

Clean (input::get (' InputName '));

Or use the Clean method provided by the purifier façade:

Purifier::clean (Input::get (' InputName '));

You can also configure it dynamically in your app:

Clean (' It is my H1 title ', ' titles '), and clean (' This is my H1 title ', Array (' attr.enableid ' = true));

Or you can also use the method provided by the purifier façade:

Purifier::clean (' This is my H1 title ', ' titles '); Purifier::clean (' This is my H1 title ', Array (' attr.enableid ' = true));

PHP prevents XSS attacks

<? Phpfunction CLEAN_XSS (& $string, $low = False) {if (! Is_array ($string)) {$string = Trim ($string); $string = str Ip_tags ($string); $string = Htmlspecialchars ($string); if ($low) {return True;} $string = Str_replace (Array (' "'," \ \ "," ' ","/"," ... "," ... /","./","//"),", $string); $no = '/%0[0-8bcef]/'; $string = Preg_replace ($no, ", $string); $no = '/%1[0-9a-f]/'; $string = Preg_replace ($no, ", $string); $no = '/[\x00-\x08\x0b\x0c\x0e-\x1f\x7f]+/s '; $string = Preg_replace ($no, ", $string); return True; } $keys = Array_keys ($string); foreach ($keys as $key) {CLEAN_XSS ($string [$key]);}} Just a test$str = ' <meta http-equiv= "refresh" content= "0;" > '; clean_xss ($STR); If you leave this comment off, you know that the XSS attack is powerful. Echo $str; >

Believe that you have read the case of this article you have mastered the method, more exciting please pay attention to the PHP Chinese network other related articles!

Recommended reading:

PHP Array Access interface arrayaccess using the detailed

How to Count binary algorithms in PHP