dev-master
9999999-devCustom blade directives to figth against XSS
MIT
The Requires
1.0.0
1.0.0.0Custom blade directives to figth against XSS
MIT
The Requires
Wallogit.com
2017 © Pedro Peláez
library blade-escape
Custom blade directives to figth against XSS
laravelgems/blade-escape
Custom blade directives to figth against XSS
- Sunday, December 25, 2016
- by laravelgems
- Repository
- 2 Watchers
- 8 Stars
- 1,740 Installations
- PHP
- 0 Dependents
- 0 Suggesters
- 1 Forks
- 0 Open issues
- 2 Versions
- 15 % Grown
The README.md
Blade Escape - fight against XSS
Blade Escape is a service provider that extends Blade directives and allows use Laragems\Escape library., (*1)
<div style="background-color: @css($color);">
<label>@text($label)</label>
<input type="text" name="custom" value="@attr($value)"/>
</div>
<a href="/profile?u=@param($username)">Profile</a>
<button onclick="callMyFunction('@js($username)');">Validate</button>
<script>
var username = "@js($username)";
</script>
Installation
composer require laravelgems/blade-escape
After that add service provider to a config\app.php, (*2)
/*
* Package Service Providers...
*/
...
LaravelGems\BladeEscape\Providers\BladeEscapeServiceProvider::class,
...
HTML - @text($variable), safe
<p>@text($resume)</p> <div>@text($bio)</div>
HTML Attribute - @attr(@variable), safe when following rules
Attribute's value should be quoted. For usage with whitelist attributes: align, alink, alt, bgcolor, border, cellpadding, cellspacing, class, color, cols, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight, marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan, scrolling, shape, span, summary, tabindex, title, usemap, valign, value, vlink, vspace, width, (*3)
<input type="text" value="@attr($variable)"/> <img src="image.png" alt="@attr($variable)"/>
URL Parameter - @param($variable), safe
<a href="search?keyword=@param($variable)">Click Me</a>
Javascript Parameter - @js($variable), safe when following rules
Value should be quoted. Avoid using dangerous functions (eval and so on), example - setTimeout("@js($variable)") (can be hacked!), (*4)
<script>
var username = "@js($variable)";
</script>
<a href="#" onclick="displayDialog('@js($title)');">Click</a>
CSS - @css($variable), safe when following rules
Surrounded by quotes. Avoid complex properties like url, behavior and custom (-moz-binding). Do not put untrusted data into IE's expression property value, (*5)
<style>
.article { background-color: '@css($color)';}
</style>
<span style="width: '@css($width)';"></span>
Must Read: QWASP - XSS Prevention Cheat Sheet, (*6)
You don't like the names of directives. Ok, just change them in a published config., (*7)