Back

Do laravel has default xss filter or need third party package?


Hi, Just want to know Laravel supporting default input data filter for xss or we need to add third party packages to clean input data through forms.

psychonetic replied 3 years ago

You can try this:

{{{test}}}

instead of using {{}} The {{{ }}} escape the string.

Cheers.

umefarooq replied 3 years ago

psychonetic said:

You can try this:

{{{test}}}

instead of using {{}} The {{{ }}} escape the string.

Cheers.

this clear output, what about saving data in database, clearing sql injection codes, javascript code from form feilds

mgsmus replied 3 years ago

Laravel query builder uses PDO paramater binding, you don't have to worry about SQL injection. Of course If you use raw queries, you have to deal with them by yourself.

// You are safe
$results = DB::select("select * from users where id = ?", array(Input::get('id')));

// You are NOT safe
$results = DB::select(DB::raw("select * from users where id =".Input::get('id')));

XSS is more complex than SQL injection. You need a third party library. I suggest HTML Purifier

barryvdh replied 3 years ago

XSS is solved by escaping the output ( {{{ $var }}} ), so the html/js doesn't get executed.

umefarooq replied 3 years ago

well i have used binput package to filter form inputs it work great like codeigniter xss filters before saving data, but one problem i am facing i can not update laravel framework from 4.1 to 4.2 because this package right now support only 4.1


Sign in to participate in this thread!



We'd like to thank these amazing companies for supporting us