Menu
I wonder how (if anyhow) is XSS protection provided in Laravel. I couldn't find anything about it in the documentation.
Problem
I am using Eloquent's create() method to insert data into database ($fillable/$guarded properties are set in the models). As it turns out, I can freely put something like this in any form's text input:
<script>alert('Hacking Sony in 3...2...')</script> and the value will be inserted in the database. Then, when echoing it - the alert is shown.
Possible solutions
Now, Laravel is a really nice framework, so I would assume there must be something to prevent XSS out of the box. However, I can't find out what that is.
If I'm wrong, what is the optimal way to handle the issue?
mysql_real_escape_string() on every Input::get() I use?strip_tags()?View-level escaping is not enough
I know I can use Blade's triple curly brackets to escape strings in the views, that's not the point, though. Makes much more sense to me not to let those sneaky bastards into the database in the first place.
Anyone faced this problem already?
973
In XSS, the malicious code runs on the client-side (on the user's browser). The malicious code runs along-side normal code when users load a webpage. Although Laravel has some mechanisms in place to protect against XSS, Laravel apps are vulnerable to XSS attacks.
XSS attacks are injection attacks where malicious scripts (such as JavaScript code snippets) are injected into trusted websites. Laravel's Blade templating engine has echo statements {{ }} that automatically escape variables using the htmlspecialchars PHP function to protect against XSS attacks.
XSS is a client-side vulnerability that targets other application users, while SQL injection is a server-side vulnerability that targets the application's database. How do I prevent XSS in PHP? Filter your inputs with a whitelist of allowed characters and use type hints or type casting.
The best way to protect your input it's use htmlentities function.
Makes much more sense to me not to let those sneaky bastards into the database in the first place.
Actually - that is not true.
The reason that XSS is only handled by blade is that XSS attacks are an output problem. There is no security risk if you store <script>alert('Hacking Sony in 3...2...')</script> in your database - it is just text - it doesnt mean anything.
But in the context of HTML output - then the text has a meaning, and therefore that is where the filtering should occur.
Also - it is possible that XSS attack could be a reflected attack, where the displayed data is not coming from the database, but from another source. i.e. an uploaded file, url etc. If you fail to filter all the various input locations - you run a risk of missing something.
Laravel encourages you to escape all output, regardless where it came from. You should only explicitly display non-filtered data due to a specific reason - and only if you are sure the data is from a trusted source (i.e. from your own code, never from user input).
p.s. In Laravel 5 the default {{ }} will escape all output - which highlights the importance of this.
Edit: here is a good discussion with further points on why you should filter output, not input: html/XSS escape on input vs output
98
As far as I know, the "official" Laravel position is that XSS prevention best practice is to escape output. Thus, {{{ }}}.
You can supplement output escaping through input sanitation with Input::all(), strip_tags(), and array_map():
$input = array_map('strip_tags', \Input::all()); If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
