Safe HTML package help to prevent XSS vulnerability via HTML content.
Use Composer to install the package:
$ composer require baddiservices/safehtml
Validate the input is HTML or not
...
use BADDIServices\SafeHTML\SafeHTML;
class DemoController extends Controller
{
/** @var SafeHTML **/
private $safeHTML;
public function __construct(SafeHTML $safeHTML)
{
$this->safeHTML = $safeHTML;
}
public function IndexAction(Request $request)
{
$htmlContent = $request->input("content");
if ($this->validate($htmlContent)) {
// TODO: is valid HTML continue the process
}
}
}Prevent XSS from HTML
...
$sanitizedHTML = $safeHTML->sanitizeHTML($content);Prevent XSS from text
...
$sanitizedText = $safeHTML->sanitize($text);Prevent XSS from link
...
$sanitizedURL = $safeHTML->sanitizeURL($url);| Method | Description |
|---|---|
validate($value) |
Verify text is HTML |
sanitize($value) |
Sanitize text to prevent HTML tags |
sanitizeAll($values) |
Sanitize array of texts to prevent HTML tags |
sanitizeHTML($value) |
Sanitize HTML to prevent XSS vulnerability |
encodeEntities($value) |
Encode special characters to HTML entities |
decodeEntities($value) |
Decode HTML entities to their corresponding characters |
setBlackListPath($blackListPath) |
Set a custom path of the blacklist json file |
getEncoding() |
Get characters encoding |
setEncoding($encodage) |
Set characters encoding |
You can check the blacklist used by default
{
"tags": {
"not-allowed": [],
"not-allowed-empty": []
},
"attributes": {
"not-allowed": []
}
}| Name | Code | Description |
|---|---|---|
| BlackListNotLoadedException | 11 | Failed to load blacklist file |
Contributions to the package are always welcome!
- Report any bugs or issues you find.
- Clone the code source and submit your pull request.