Looking to hire Laravel developers? Try LaraJobs

blade-escape maintained by laravelgems

Description
Custom blade directives to figth against XSS
Author
Leonid Shumakov
Last update
2016/12/25 15:03 (dev-master)
License
MIT
Links
GitHub - Packagist
Downloads
12 364

dev-master

Last update
2016/12/25 15:03
License
MIT
Require
  • illuminate/support 5.*
  • laravelgems/escape 1.*
1.0.0

Last update
2016/12/25 14:34
License
MIT
Require
  • illuminate/support 5.*
  • laravelgems/escape 1.*
Comments
comments powered by Disqus

Blade Escape - fight against XSS

Blade Escape is a service provider that extends Blade directives and allows use Laragems\Escape library.

<div style="background-color: @css($color);">
    <label>@text($label)</label>
    <input type="text" name="custom" value="@attr($value)"/>
</div>
<a href="/profile?u=@param($username)">Profile</a>
<button onclick="callMyFunction('@js($username)');">Validate</button>
<script>
    var username = "@js($username)";
</script>

Installation

composer require laravelgems/blade-escape

After that add service provider to a config\app.php

        /*
         * Package Service Providers...
         */
         ...
         LaravelGems\BladeEscape\Providers\BladeEscapeServiceProvider::class,
         ...

HTML - @text($variable), safe

<p>@text($resume)</p>
<div>@text($bio)</div>

HTML Attribute - @attr(@variable), safe when following rules

Attribute's value should be quoted. For usage with whitelist attributes: align, alink, alt, bgcolor, border, cellpadding, cellspacing, class, color, cols, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight, marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan, scrolling, shape, span, summary, tabindex, title, usemap, valign, value, vlink, vspace, width

<input type="text" value="@attr($variable)"/>
<img src="image.png" alt="@attr($variable)"/>

URL Parameter - @param($variable), safe

<a href="search?keyword=@param($variable)">Click Me</a>

Javascript Parameter - @js($variable), safe when following rules

Value should be quoted. Avoid using dangerous functions (eval and so on), example - setTimeout("@js($variable)") (can be hacked!)

<script>
    var username = "@js($variable)";
</script>
<a href="#" onclick="displayDialog('@js($title)');">Click</a>

CSS - @css($variable), safe when following rules

Surrounded by quotes. Avoid complex properties like url, behavior and custom (-moz-binding). Do not put untrusted data into IE's expression property value

<style>
    .article { background-color: '@css($color)';}
</style>
<span style="width: '@css($width)';"></span>

Must Read: QWASP - XSS Prevention Cheat Sheet

You don't like the names of directives. Ok, just change them in a published config.