laravelgems / blade-escape by laravelgems

Custom blade directives to figth against XSS
11,252
13
4
Github Link
Packagist Link
Package Data
Maintainer Username: laravelgems
Maintainer Contact: leonid.shumakov@laragems.com (Leonid Shumakov)
Package Create Date: 2016-12-25
Package Last Update: 2016-12-25
Language: PHP
License: MIT
Last Refreshed: 2024-11-22 03:11:55
Package Statistics
Total Downloads: 11,252
Monthly Downloads: 20
Daily Downloads: 1
Total Stars: 13
Total Watchers: 4
Total Forks: 4
Total Open Issues: 0

Blade Escape - fight against XSS

Blade Escape is a service provider that extends Blade directives and allows use Laragems\Escape library.

<div style="background-color: @css($color);">
    <label>@text($label)</label>
    <input type="text" name="custom" value="@attr($value)"/>
</div>
<a href="/profile?u=@param($username)">Profile</a>
<button onclick="callMyFunction('@js($username)');">Validate</button>
<script>
    var username = "@js($username)";
</script>

Installation

composer require laravelgems/blade-escape

After that add service provider to a config\app.php

        /*
         * Package Service Providers...
         */
         ...
         LaravelGems\BladeEscape\Providers\BladeEscapeServiceProvider::class,
         ...

HTML - @text($variable), safe

<p>@text($resume)</p>
<div>@text($bio)</div>

HTML Attribute - @attr(@variable), safe when following rules

Attribute's value should be quoted. For usage with whitelist attributes: align, alink, alt, bgcolor, border, cellpadding, cellspacing, class, color, cols, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight, marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan, scrolling, shape, span, summary, tabindex, title, usemap, valign, value, vlink, vspace, width

<input type="text" value="@attr($variable)"/>
<img src="image.png" alt="@attr($variable)"/>

URL Parameter - @param($variable), safe

<a href="search?keyword=@param($variable)">Click Me</a>

Javascript Parameter - @js($variable), safe when following rules

Value should be quoted. Avoid using dangerous functions (eval and so on), example - setTimeout("@js($variable)") (can be hacked!)

<script>
    var username = "@js($variable)";
</script>
<a href="#" onclick="displayDialog('@js($title)');">Click</a>

CSS - @css($variable), safe when following rules

Surrounded by quotes. Avoid complex properties like url, behavior and custom (-moz-binding). Do not put untrusted data into IE's expression property value

<style>
    .article { background-color: '@css($color)';}
</style>
<span style="width: '@css($width)';"></span>

Must Read: QWASP - XSS Prevention Cheat Sheet

You don't like the names of directives. Ok, just change them in a published config.