Package Data | |
---|---|
Maintainer Username: | lab1521 |
Maintainer Contact: | marcz@lab1521.com (Marco Hermo) |
Package Create Date: | 2016-07-28 |
Package Last Update: | 2017-01-19 |
Home Page: | |
Language: | PHP |
License: | MIT |
Last Refreshed: | 2024-11-11 15:11:27 |
Package Statistics | |
---|---|
Total Downloads: | 7,152 |
Monthly Downloads: | 2 |
Daily Downloads: | 1 |
Total Stars: | 22 |
Total Watchers: | 2 |
Total Forks: | 0 |
Total Open Issues: | 1 |
Cleans up your HTML. Useful for writing content or blogs that accepts HTML markup. Requires the PHP tidy class. Please install this extension first.
Accepting HTML contents (with markups/tags included etc.) on your website is somewhat a concern regarding the security of your website and its users. The dreaded XSS or Cross Site Scripting is always a threat. However with the power of open source we can keep up with common threats and mitigate the issues for safekeeping our websites or blogs.
composer require lab1521/neaty-html
<?php
require('../vendor/autoload.php');
use Lab1521\NeatyHTML\NeatyHTML;
//Goal: Remove onerror attribute which prevents eval to alert
$badImage = '<img src=x:alert(window) onerror=eval(src) alt="bad image">';
$goodImage = '<img src="images/good.gif" alt="good image">';
$neaty = new NeatyHTML($badImage . $goodImage);
//Outputs <img src="x:alert(window)" alt="bad image"><img src="images/good.gif" alt="good image">
echo $neaty->tidyUp();
//Goal: Remove unrecognized images and keep local sources only
$neaty->blockedTags(['img']);
$neaty->tagOverrides([
'img' => [
[
'attribute' => 'src',
'values' => ['images/'] //restricts to local folder
],
]
]);
//Goal: Remove $badImage
$neaty->loadHtml($badImage . $goodImage);
//Outputs $goodImage only
echo $neaty->tidyUp();
Current PHP's DomDocument class does not support HTML5 tags/attributes. For this reason a NeatyDOMException exception is thrown.
For your Laravel app, open config/app.php and, within the providers array, append:
/*
* Package Service Providers...
*/
Lab1521\NeatyHTML\NeatyHTMLServiceProvider::class,
Add a new item in the 'aliases' array on the same file, config/app.php
'NeatyHTML' => Lab1521\NeatyHTML\Facades\NeatyHTML::class,
<?php
Route::get('/', function () {
//Goal: Remove onerror attribute which prevents eval to alert
$badImage = '<img src=x:alert(window) onerror=eval(src) alt="bad image">';
$goodImage = '<img src="images/good.gif" alt="good image">';
$neaty = NeatyHTML::loadHtml($badImage . $goodImage);
//Goal: Remove unrecognized images and keep local sources only
$neaty->blockedTags(['img']);
$neaty->tagOverrides([
'img' => [
[
'attribute' => 'src',
'values' => ['images/'] //restricts to local folder
],
]
]);
//Outputs $goodImage only
return $neaty->tidyUp();
// return view('welcome');
});
NeatyHTML provides a custom validation rule called 'html' which will check your POST input containing markups and passes the error message when validation fails. Please note that NeatyHTMLServiceProvider is deferred by default so we need to inject this class in the controller method in order to use the custom validation feature. In this way we only use NeatyHTML when we wanted which is nice to have.
<?php
use Lab1521\NeatyHTML\NeatyHTML;
class PostController extends Controller
{
public function store(Request $request, NeatyHTML $neaty)
{
$this->validate($request, [
'title' => 'required',
'body' => 'required|html' // <-- custom rule
]);
// Your awesome code here ...
$body = $neaty->tidyUp($request['body']);
}
}