XSS Filter in Laravel Framework

If you are connected with the PHP development world then you must have heard the name Laravel and you know what it is. If you don’t know, Laravel is a modern PHP framework which utilizes modern PHP features and uses some of the existing frameworks’ components to truly awesomify PHP development.

Back in 2012 I gave Laravel a try out of curiosity and I was amazed by the flexibility, features and easiness it offers. I took another decison to learn it and then to use it on my new projects. Now I have learned Laravel and developed projects using it. I am not leaving development with CodeIgniter, just using both, in fact my current long term work Vegan Cuts is based on CodeIgniter.

One thing you might miss on Laravel is XSS (Cross-site Scripting) Cleaning/Filtering method for inputs, specially if you have come from CodeIgniter background. I truly understand that its better to do it on output and Laravel has a method HTML::entities with a handy shorthand e() (removed in Laravel 4) which converts HTML characters into entities, its almost PHP’s native function htmlentities() (also Blades’s syntax can escape data). But I do prefer filtering/sanitizing both inputs and outputs, I don’t see any reason to allow saving HTML tags in database, also you may accidentally forget to use htmlentities() on your output and it puts you on risk. So I prefer to strip all the tags from input globally and then for a better security use htmlentities() on output.

Here we go …

So how can we do XSS Clean on all the inputs in Laravel? I have a solution for you, if you don’t have a library to write common methods you may need frequently then I ask you to create a new library Common in application/library (in case of Laravel 4, create a Common model in app/models). Put this two methods in your Common library/model:

    /*
     * Method to strip tags globally.
     */
    public static function globalXssClean()
    {
        // Recursive cleaning for array [] inputs, not just strings.
        $sanitized = static::arrayStripTags(Input::get());
        Input::merge($sanitized);
    }

    public static function arrayStripTags($array)
    {
        $result = array();

        foreach ($array as $key => $value) {
            // Don't allow tags on key either, maybe useful for dynamic forms.
            $key = strip_tags($key);

            // If the value is an array, we will just recurse back into the
            // function to keep stripping the tags out of the array,
            // otherwise we will set the stripped value.
            if (is_array($value)) {
                $result[$key] = static::arrayStripTags($value);
            } else {
                // I am using strip_tags(), you may use htmlentities(),
                // also I am doing trim() here, you may remove it, if you wish.
                $result[$key] = trim(strip_tags($value));
            }
        }

        return $result;
    }

Then put this code in the beginning of your before filter (in application/routes.php, in Laravel 4 it should be in app/filters.php):

    // Our own method to defend XSS attacks globally.
    Common::globalXssClean();

Note: I am using strip_tags(), you may use htmlentities(), also I am doing global trimming here, you may remove it, if you wish. Stripping tags will disable your users to store any HTML tags, if you need your user to write WYSIWYG content then I suggest you to use Markdown and convert it to HTML while doing output, it is the secured way, there are many libraries to help you.

More Laravel tutorials are coming, stay tuned 🙂