├── .gitignore
├── .github
    ├── FUNDING.yml
    └── workflows
    │   └── php.yml
├── tests
    ├── RegistersPackage.php
    ├── ServiceProviderTest.php
    └── PendingSanitizationTest.php
├── phpunit.xml
├── src
    ├── LarasaneServiceProvider.php
    ├── Facades
    │   └── Sanitizer.php
    ├── BuildsSanitizer.php
    └── PendingSanitization.php
├── composer.json
├── config
    └── larasane.php
└── README.md


/.gitignore:
--------------------------------------------------------------------------------
1 | /.phpunit.cache
2 | .phpunit.result.cache
3 | vendor
4 | composer.lock


--------------------------------------------------------------------------------
/.github/FUNDING.yml:
--------------------------------------------------------------------------------
1 | # Help me support this package
2 | 
3 | ko_fi: DarkGhostHunter
4 | custom: ['https://paypal.me/darkghosthunter']


--------------------------------------------------------------------------------
/tests/RegistersPackage.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | namespace Tests;
 4 | 
 5 | trait RegistersPackage
 6 | {
 7 |     protected function getPackageProviders($app)
 8 |     {
 9 |         return ['DarkGhostHunter\Larasane\LarasaneServiceProvider'];
10 |     }
11 | 
12 |     protected function getPackageAliases($app)
13 |     {
14 |         return [
15 |             'ReCaptcha' => 'DarkGhostHunter\Larasane\Facades\Sanitizer'
16 |         ];
17 |     }
18 | }


--------------------------------------------------------------------------------
/phpunit.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <phpunit xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" bootstrap="vendor/autoload.php" colors="true" verbose="true" xsi:noNamespaceSchemaLocation="https://schema.phpunit.de/9.3/phpunit.xsd">
 3 |     <coverage>
 4 |         <include>
 5 |             <directory suffix=".php">src/</directory>
 6 |         </include>
 7 |         <report>
 8 |             <clover outputFile="build/logs/clover.xml"/>
 9 |         </report>
10 |     </coverage>
11 |     <testsuites>
12 |         <testsuite name="Test Suite">
13 |             <directory>tests</directory>
14 |         </testsuite>
15 |     </testsuites>
16 | </phpunit>


--------------------------------------------------------------------------------
/src/LarasaneServiceProvider.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | namespace DarkGhostHunter\Larasane;
 4 | 
 5 | use HtmlSanitizer\SanitizerBuilder;
 6 | use Illuminate\Support\ServiceProvider as LaravelServiceProvider;
 7 | 
 8 | class LarasaneServiceProvider extends LaravelServiceProvider
 9 | {
10 |     /**
11 |      * Register the application services.
12 |      *
13 |      * @return void
14 |      */
15 |     public function register(): void
16 |     {
17 |         $this->mergeConfigFrom(__DIR__ . '/../config/larasane.php', 'larasane');
18 | 
19 |         $this->app->singleton(SanitizerBuilder::class, static function () {
20 |             return SanitizerBuilder::createDefault();
21 |         });
22 | 
23 |         $this->app->bind(PendingSanitization::class, static function ($app) {
24 |             return new PendingSanitization($app[SanitizerBuilder::class], $app['config']);
25 |         });
26 |     }
27 | 
28 |     /**
29 |      * Bootstrap any application services.
30 |      *
31 |      * @return void
32 |      */
33 |     public function boot(): void
34 |     {
35 |         if ($this->app->runningInConsole()) {
36 |             $this->publishes([__DIR__ . '/../config/larasane.php' => $this->app->configPath('larasane.php')], 'config');
37 |         }
38 |     }
39 | }


--------------------------------------------------------------------------------
/src/Facades/Sanitizer.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | namespace DarkGhostHunter\Larasane\Facades;
 4 | 
 5 | use DarkGhostHunter\Larasane\PendingSanitization;
 6 | use Illuminate\Support\Facades\Facade;
 7 | 
 8 | /**
 9 |  * @method static \DarkGhostHunter\Larasane\PendingSanitization maxLength(int $int)
10 |  * @method static \DarkGhostHunter\Larasane\PendingSanitization allowCode(string ...$extensions)
11 |  * @method static \DarkGhostHunter\Larasane\PendingSanitization hosts(string ...$hosts)
12 |  * @method static \DarkGhostHunter\Larasane\PendingSanitization anyHost()
13 |  * @method static \DarkGhostHunter\Larasane\PendingSanitization enforceHttps(bool $enforce = true)
14 |  * @method static \DarkGhostHunter\Larasane\PendingSanitization imageData(bool $allow = true)
15 |  * @method static \DarkGhostHunter\Larasane\PendingSanitization allowMailto(bool $allow = true)
16 |  * @method static \DarkGhostHunter\Larasane\PendingSanitization tagAttributes(string $tag, string ...$allowedAttributes)
17 |  * @method static \DarkGhostHunter\Larasane\PendingSanitization tagConfig(string $tag, string $key, $value)
18 |  * @method static \DarkGhostHunter\Larasane\PendingSanitization input($input)
19 |  * @method static \Illuminate\Support\Stringable sanitize()
20 |  */
21 | class Sanitizer extends Facade
22 | {
23 |     /**
24 |      * Get the registered name of the component.
25 |      *
26 |      * @return string
27 |      */
28 |     protected static function getFacadeAccessor(): string
29 |     {
30 |         return PendingSanitization::class;
31 |     }
32 | }


--------------------------------------------------------------------------------
/composer.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "name": "darkghosthunter/larasane",
 3 |   "description": "Quickly and easily secure HTML text.",
 4 |   "keywords": [
 5 |     "darkghosthunter",
 6 |     "larasane",
 7 |     "html",
 8 |     "sanitize",
 9 |     "laravel"
10 |   ],
11 |   "homepage": "https://github.com/darkghosthunter/larasane",
12 |   "license": "MIT",
13 |   "minimum-stability": "stable",
14 |   "type": "library",
15 |   "prefer-stable": true,
16 |   "authors": [
17 |     {
18 |       "name": "Italo Israel Baeza Cabrera",
19 |       "email": "darkghosthunter@gmail.com",
20 |       "role": "Developer"
21 |     }
22 |   ],
23 |   "require": {
24 |     "php": "^7.4||^8.0",
25 |     "ext-mbstring": "*",
26 |     "illuminate/support": "7.*||8.*",
27 |     "tgalopin/html-sanitizer": "^1.4.0"
28 |   },
29 |   "require-dev": {
30 |     "orchestra/testbench": "^5.18||^v6.17.0",
31 |     "phpunit/phpunit": "^9.5.4"
32 |   },
33 |   "autoload": {
34 |     "psr-4": {
35 |       "DarkGhostHunter\\Larasane\\": "src"
36 |     }
37 |   },
38 |   "autoload-dev": {
39 |     "psr-4": {
40 |       "Tests\\": "tests"
41 |     }
42 |   },
43 |   "scripts": {
44 |     "test": "vendor/bin/phpunit --coverage-clover build/logs/clover.xml",
45 |     "test-coverage": "vendor/bin/phpunit --coverage-html coverage"
46 |   },
47 |   "config": {
48 |     "sort-packages": true
49 |   },
50 |   "extra": {
51 |     "laravel": {
52 |       "providers": [
53 |         "DarkGhostHunter\\Larasane\\LarasaneServiceProvider"
54 |       ],
55 |       "aliases": {
56 |         "Sanitizer": "DarkGhostHunter\\Larasane\\Facades\\Sanitizer"
57 |       }
58 |     }
59 |   }
60 | }


--------------------------------------------------------------------------------
/tests/ServiceProviderTest.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | namespace Tests;
 4 | 
 5 | use DarkGhostHunter\Larasane\Facades\Sanitizer;
 6 | use DarkGhostHunter\Larasane\LarasaneServiceProvider;
 7 | use DarkGhostHunter\Larasane\PendingSanitization;
 8 | use HtmlSanitizer\SanitizerBuilder;
 9 | use Illuminate\Support\Facades\File;
10 | use Orchestra\Testbench\TestCase;
11 | 
12 | class ServiceProviderTest extends TestCase
13 | {
14 |     use RegistersPackage;
15 | 
16 |     public function test_register_config(): void
17 |     {
18 |         static::assertArrayHasKey(LarasaneServiceProvider::class, $this->app->getLoadedProviders());
19 |     }
20 | 
21 |     public function test_registers_facade(): void
22 |     {
23 |         static::assertInstanceOf(PendingSanitization::class, Sanitizer::getFacadeRoot());
24 |     }
25 | 
26 |     public function test_publishes_config(): void
27 |     {
28 |         static::assertEquals(include(__DIR__ . '/../config/larasane.php'), config('larasane'));
29 |     }
30 | 
31 |     public function test_registers_pending_sanitization(): void
32 |     {
33 |         $this->artisan(
34 |             'vendor:publish',
35 |             [
36 |                 '--provider' => 'DarkGhostHunter\Larasane\LarasaneServiceProvider',
37 |                 '--tag' => 'config',
38 |             ]
39 |         )->execute();
40 | 
41 |         static::assertFileEquals(base_path('config/larasane.php'), __DIR__ . '/../config/larasane.php');
42 |     }
43 | 
44 |     public function test_registers_bindings(): void
45 |     {
46 |         static::assertArrayHasKey(SanitizerBuilder::class, $this->app->getBindings());
47 |         static::assertArrayHasKey(PendingSanitization::class, $this->app->getBindings());
48 |     }
49 | }


--------------------------------------------------------------------------------
/.github/workflows/php.yml:
--------------------------------------------------------------------------------
 1 | name: Tests
 2 | 
 3 | on:
 4 |   push:
 5 |   pull_request:
 6 | 
 7 | jobs:
 8 |   test:
 9 | 
10 |     runs-on: ubuntu-latest
11 |     strategy:
12 |       fail-fast: true
13 |       matrix:
14 |         php: [8.0, 7.4]
15 |         laravel: [8.*, 7.*]
16 |         dependency-version: [prefer-lowest, prefer-stable]
17 |         include:
18 |           - laravel: 8.*
19 |             testbench: ^6.17
20 |           - laravel: 7.*
21 |             testbench: ^5.18
22 | 
23 |     name: PHP ${{ matrix.php }} - Laravel ${{ matrix.laravel }} - ${{ matrix.dependency-version }}
24 | 
25 |     steps:
26 |       - name: Checkout
27 |         uses: actions/checkout@v2
28 | 
29 |       - name: Setup PHP
30 |         uses: shivammathur/setup-php@v2
31 |         with:
32 |           php-version: ${{ matrix.php }}
33 |           extensions: mbstring, intl
34 |           coverage: xdebug
35 | 
36 |       - name: Cache dependencies
37 |         uses: actions/cache@v2
38 |         with:
39 |           path: ~/.composer/cache/files
40 |           key: ${{ runner.os }}-laravel-${{ matrix.laravel }}-php-${{ matrix.php }}-composer-${{ hashFiles('composer.json') }}
41 |           restore-keys: ${{ runner.os }}-laravel-${{ matrix.laravel }}-php-${{ matrix.php }}-composer-
42 | 
43 |       - name: Install dependencies
44 |         run: |
45 |           composer require "laravel/framework:${{ matrix.laravel }}" "orchestra/testbench:${{ matrix.testbench }}" --no-progress --no-update
46 |           composer update --${{ matrix.dependency-version }} --prefer-dist --no-progress --no-suggest
47 | 
48 |       - name: Run Tests
49 |         run: composer run-script test
50 | 
51 |       - name: Upload Coverage to Coveralls
52 |         env:
53 |           COVERALLS_REPO_TOKEN: ${{ secrets.GITHUB_TOKEN }}
54 |           COVERALLS_SERVICE_NAME: github
55 |         run: |
56 |           rm -rf composer.* vendor/
57 |           composer require php-coveralls/php-coveralls
58 |           vendor/bin/php-coveralls


--------------------------------------------------------------------------------
/config/larasane.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | return [
 4 | 
 5 |     /*
 6 |     |--------------------------------------------------------------------------
 7 |     | Maximum input length
 8 |     |--------------------------------------------------------------------------
 9 |     |
10 |     | To protect your application memory Larasane will truncate any input that
11 |     | exceeds the following character number. Don't worry too much about this
12 |     | this default length, you can conveniently change the value at runtime.
13 |     |
14 |     */
15 | 
16 |     'max_length' => 1000,
17 | 
18 |     /*
19 |     |--------------------------------------------------------------------------
20 |     | Code allowance
21 |     |--------------------------------------------------------------------------
22 |     |
23 |     | Larasane only allows for basic inoffensive tags in HTML. While this can
24 |     | be enough for most apps, you can allow for more tags and have control
25 |     | over each tag attributes. Anyway consider starting from the bottom.
26 |     |
27 |     | See: https://github.com/tgalopin/html-sanitizer/blob/1.4.0/docs/1-getting-started.md#extensions
28 |     |
29 |     */
30 | 
31 |     'allow_code' => [
32 |         'basic', /* 'list', 'table', 'image', 'code', 'iframe', 'details', 'extra' */
33 |     ],
34 | 
35 |     /*
36 |     |--------------------------------------------------------------------------
37 |     | Links security
38 |     |--------------------------------------------------------------------------
39 |     |
40 |     | Links are allowed in <a>, <img> and <iframe> tags, if these are enabled.
41 |     | You can only allow links pointing outside your app, enforce HTTPS when
42 |     | on production, allow image data in the image link, and allow mailto.
43 |     |
44 |     */
45 | 
46 |     'security' => [
47 |         'enforce_hosts' => null, // If null, all links are allowed.
48 |         'enforce_https' => null, // If null, enforce only on production.
49 |         'image_data'    => false,
50 |         'allow_mailto'  => false,
51 |     ],
52 | 
53 |     /*
54 |     |--------------------------------------------------------------------------
55 |     | Tags and Attributes
56 |     |--------------------------------------------------------------------------
57 |     |
58 |     | You can have fine control of which attribute to allow on each sanitized
59 |     | tag. The underlying parsing extensions allow for only some inoffensive
60 |     | attributes but you can override the default list of each tag in here.
61 |     */
62 | 
63 |     'tags' => [
64 |         'div' => 'class',
65 |         'img' => ['src', 'alt', 'title', 'class'],
66 |         'a' => ['class', 'target'],
67 |         'ul' => 'class',
68 |         'ol' => 'class',
69 |         'li' => 'class',
70 |     ]
71 | ];


--------------------------------------------------------------------------------
/src/BuildsSanitizer.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | 
  3 | namespace DarkGhostHunter\Larasane;
  4 | 
  5 | use HtmlSanitizer\SanitizerInterface;
  6 | use Illuminate\Support\Arr;
  7 | 
  8 | trait BuildsSanitizer
  9 | {
 10 |     /**
 11 |      * Returns a prepared Sanitizer instance.
 12 |      *
 13 |      * @return \HtmlSanitizer\SanitizerInterface
 14 |      */
 15 |     protected function build(): SanitizerInterface
 16 |     {
 17 |         return $this->builder->build(
 18 |             [
 19 |                 'max_input_length' => $this->parseMaxLength(),
 20 |                 'extensions' => $this->parseExtensions(),
 21 |                 'tags' => $this->parseTags(),
 22 |             ]
 23 |         );
 24 |     }
 25 | 
 26 |     /**
 27 |      * Parses the max length of the input.
 28 |      *
 29 |      * @return mixed
 30 |      */
 31 |     protected function parseMaxLength()
 32 |     {
 33 |         return $this->maxLength = $this->maxLength ?? $this->config->get('larasane.max_length');
 34 |     }
 35 | 
 36 |     /**
 37 |      * Parse the extensions to use with the Sanitizer.
 38 |      *
 39 |      * @return array
 40 |      */
 41 |     protected function parseExtensions(): array
 42 |     {
 43 |         return $this->extensions = $this->extensions ?? $this->config->get('larasane.allow_code');
 44 |     }
 45 | 
 46 |     /**
 47 |      * Parse the tags properties and config.
 48 |      *
 49 |      * @return array
 50 |      */
 51 |     protected function parseTags(): array
 52 |     {
 53 |         $tagsConfig = $this->getDefaultTagsConfig();
 54 | 
 55 |         foreach ($this->tagAttributes ?? [] as $tag => $attribute) {
 56 |             Arr::set($tagsConfig, "$tag.allowed_attributes", Arr::wrap($attribute));
 57 |         }
 58 | 
 59 |         foreach ($this->tagConfig ?? [] as $tag => $config) {
 60 |             Arr::set($tagsConfig, $tag, $config);
 61 |         }
 62 | 
 63 |         return $tagsConfig;
 64 |     }
 65 | 
 66 |     /**
 67 |      * Returns the default tag config array.
 68 |      *
 69 |      * @return array
 70 |      */
 71 |     protected function getDefaultTagsConfig(): array
 72 |     {
 73 |         $array = [
 74 |             'a' => [
 75 |                 'force_https' => $forceHttps = $this->https ?? $this->parseEnforceHttps(),
 76 |                 'allow_mailto' => $this->mailto ?? $this->config->get('larasane.security.allow_mailto', false),
 77 |             ],
 78 |             'iframe' => [
 79 |                 'force_https' => $forceHttps,
 80 |             ],
 81 |             'img' => [
 82 |                 'force_https' => $forceHttps,
 83 |                 'allow_data_uri' => $this->imageData ?? $this->config->get('larasane.security.image_data', false),
 84 |             ]
 85 |         ];
 86 | 
 87 |         $allowedHosts = $this->hosts ?? $this->config->get('larasane.security.enforce_hosts');
 88 | 
 89 |         if ($allowedHosts !== null) {
 90 |             $array['a']['allowed_hosts'] = $allowedHosts;
 91 |             $array['iframe']['allowed_hosts'] = $allowedHosts;
 92 |             $array['img']['allowed_hosts'] = $allowedHosts;
 93 |         }
 94 | 
 95 |         return $array;
 96 |     }
 97 | 
 98 |     /**
 99 |      * Check if should enforce HTTPS on links.
100 |      *
101 |      * @return bool
102 |      */
103 |     protected function parseEnforceHttps(): bool
104 |     {
105 |         return $this->config->get('larasane.security.enforce_https') ?? app()->isProduction();
106 |     }
107 | }


--------------------------------------------------------------------------------
/src/PendingSanitization.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | 
  3 | namespace DarkGhostHunter\Larasane;
  4 | 
  5 | use HtmlSanitizer\SanitizerBuilder;
  6 | use Illuminate\Contracts\Config\Repository;
  7 | use Illuminate\Support\Arr;
  8 | use Illuminate\Support\Stringable;
  9 | 
 10 | class PendingSanitization
 11 | {
 12 |     use BuildsSanitizer;
 13 | 
 14 |     /**
 15 |      * The Sanitizer builder
 16 |      *
 17 |      * @var \HtmlSanitizer\SanitizerBuilder
 18 |      */
 19 |     protected SanitizerBuilder $builder;
 20 | 
 21 |     /**
 22 |      * Application config.
 23 |      *
 24 |      * @var \Illuminate\Contracts\Config\Repository
 25 |      */
 26 |     protected Repository $config;
 27 | 
 28 |     /**
 29 |      * Length to truncate the input.
 30 |      *
 31 |      * @var int|null
 32 |      */
 33 |     protected ?int $maxLength = null;
 34 | 
 35 |     /**
 36 |      * Extensions to invoke for the sanitizer.
 37 |      *
 38 |      * @var array|null
 39 |      */
 40 |     protected ?array $extensions = null;
 41 | 
 42 |     /**
 43 |      * Hosts to allow on links, images and iframes.
 44 |      *
 45 |      * @var array|string[]
 46 |      */
 47 |     protected ?array $hosts = null;
 48 | 
 49 |     /**
 50 |      * If all links should be done to HTTPS origins.
 51 |      *
 52 |      * @var bool|null
 53 |      */
 54 |     protected ?bool $https = null;
 55 |     /**
 56 |      * If data image should be allowed on images.
 57 |      *
 58 |      * @var bool|null
 59 |      */
 60 |     protected ?bool $imageData = null;
 61 | 
 62 |     /**
 63 |      * If "mailto:" links should be allowed.
 64 |      *
 65 |      * @var bool|null
 66 |      */
 67 |     protected ?bool $mailto = null;
 68 | 
 69 |     /**
 70 |      * List of properties allowed for each tag.
 71 |      *
 72 |      * @var array<string[]>|string[]|null
 73 |      */
 74 |     protected ?array $tagAttributes = null;
 75 | 
 76 |     /**
 77 |      * Custom config to pass to a tag.
 78 |      *
 79 |      * @var array|null
 80 |      */
 81 |     protected ?array $tagConfig = null;
 82 | 
 83 |     /**
 84 |      * The input to sanitize.
 85 |      *
 86 |      * @var \Illuminate\Support\Stringable|string|\Stringable
 87 |      */
 88 |     protected $input = '';
 89 | 
 90 |     /**
 91 |      * PendingSanitization constructor.
 92 |      *
 93 |      * @param  \HtmlSanitizer\SanitizerBuilder  $builder
 94 |      * @param  \Illuminate\Contracts\Config\Repository  $config
 95 |      */
 96 |     public function __construct(SanitizerBuilder $builder, Repository $config)
 97 |     {
 98 |         $this->builder = $builder;
 99 |         $this->config = $config;
100 |     }
101 | 
102 |     /**
103 |      * Override the length to truncate the input.
104 |      *
105 |      * @param  int  $int
106 |      *
107 |      * @return \DarkGhostHunter\Larasane\PendingSanitization
108 |      */
109 |     public function maxLength(int $int): PendingSanitization
110 |     {
111 |         $this->maxLength = $int;
112 | 
113 |         return $this;
114 |     }
115 | 
116 |     /**
117 |      * Override the list of code extensions to allow in the HTML.
118 |      *
119 |      * @param  string  ...$extensions
120 |      *
121 |      * @return $this
122 |      */
123 |     public function allowCode(string ...$extensions): PendingSanitization
124 |     {
125 |         $this->extensions = $extensions;
126 | 
127 |         return $this;
128 |     }
129 | 
130 |     /**
131 |      * Override the list of accepted hosts for links.
132 |      *
133 |      * @param  string  ...$hosts
134 |      *
135 |      * @return \DarkGhostHunter\Larasane\PendingSanitization
136 |      */
137 |     public function hosts(string ...$hosts): PendingSanitization
138 |     {
139 |         $this->hosts = $hosts;
140 | 
141 |         return $this;
142 |     }
143 | 
144 |     /**
145 |      * Allow links to point anywhere.
146 |      *
147 |      * @return $this
148 |      */
149 |     public function anyHost(): PendingSanitization
150 |     {
151 |         $this->hosts = null;
152 | 
153 |         return $this;
154 |     }
155 | 
156 |     /**
157 |      * Disallows any link.
158 |      *
159 |      * @return $this
160 |      */
161 |     public function disallowLinks(): PendingSanitization
162 |     {
163 |         $this->hosts = [];
164 | 
165 |         return $this;
166 |     }
167 | 
168 |     /**
169 |      * Override the HTTPS link enforcement.
170 |      *
171 |      * @param  bool  $enforce
172 |      *
173 |      * @return $this
174 |      */
175 |     public function enforceHttps(bool $enforce = true): PendingSanitization
176 |     {
177 |         $this->https = $enforce;
178 | 
179 |         return $this;
180 |     }
181 | 
182 |     /**
183 |      * Allows or disallows image data in image.
184 |      *
185 |      * @param  bool  $allow
186 |      *
187 |      * @return $this
188 |      */
189 |     public function imageData(bool $allow = true): PendingSanitization
190 |     {
191 |         $this->imageData = $allow;
192 | 
193 |         return $this;
194 |     }
195 | 
196 |     /**
197 |      * Allows or disallows "mailto:" links.
198 |      *
199 |      * @param  bool  $allow
200 |      *
201 |      * @return \DarkGhostHunter\Larasane\PendingSanitization
202 |      */
203 |     public function allowMailto(bool $allow = true): PendingSanitization
204 |     {
205 |         $this->mailto = $allow;
206 | 
207 |         return $this;
208 |     }
209 | 
210 |     /**
211 |      * Override a list of allowed attributes for a given tag.
212 |      *
213 |      * @param  string  $tag
214 |      * @param  string  ...$allowedAttributes
215 |      *
216 |      * @return \DarkGhostHunter\Larasane\PendingSanitization
217 |      */
218 |     public function tagAttributes(string $tag, string ...$allowedAttributes): PendingSanitization
219 |     {
220 |         $this->tagAttributes[$tag] = $allowedAttributes;
221 | 
222 |         return $this;
223 |     }
224 | 
225 |     /**
226 |      * Sets a custom config in the tag.
227 |      *
228 |      * @param  string  $tag
229 |      * @param  string  $key
230 |      * @param  string[]|array  $value
231 |      *
232 |      * @return \DarkGhostHunter\Larasane\PendingSanitization
233 |      */
234 |     public function tagConfig(string $tag, string $key, $value): PendingSanitization
235 |     {
236 |         Arr::set($this->tagConfig, "$tag.$key", $value);
237 | 
238 |         return $this;
239 |     }
240 | 
241 |     /**
242 |      * @param  string|\Stringable|\Illuminate\Support\Stringable  $input
243 |      *
244 |      * @return \DarkGhostHunter\Larasane\PendingSanitization
245 |      */
246 |     public function input($input): PendingSanitization
247 |     {
248 |         $this->input = $input;
249 | 
250 |         return $this;
251 |     }
252 | 
253 |     /**
254 |      * Returns the sanitized input.
255 |      *
256 |      * @return \Illuminate\Support\Stringable
257 |      */
258 |     public function sanitize(): Stringable
259 |     {
260 |         return new Stringable($this->build()->sanitize($this->input));
261 |     }
262 | }


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | ![
  2 | Clay Banks - Unslash (UL) #kBaf0DwBPbE](https://images.unsplash.com/photo-1584813470613-5b1c1cad3d69?ixlib=rb-1.2.1&ixid=eyJhcHBfaWQiOjEyMDd9&auto=format&fit=crop&w=1280&h=400&q=80)
  3 | 
  4 | [![Latest Stable Version](https://poser.pugx.org/darkghosthunter/larasane/v/stable)](https://packagist.org/packages/darkghosthunter/larasane) [![License](https://poser.pugx.org/darkghosthunter/larasane/license)](https://packagist.org/packages/darkghosthunter/larasane) ![](https://img.shields.io/packagist/php-v/darkghosthunter/larasane.svg) ![](https://github.com/DarkGhostHunter/Larasane/workflows/PHP%20Composer/badge.svg)  [![Coverage Status](https://coveralls.io/repos/github/DarkGhostHunter/Larasane/badge.svg?branch=master)](https://coveralls.io/github/DarkGhostHunter/Larasane?branch=master) [![Laravel Octane Compatible](https://img.shields.io/badge/Laravel%20Octane-Compatible-success?style=flat&logo=laravel)](https://github.com/laravel/octane)
  5 | 
  6 | # Larasane
  7 | 
  8 | Quickly sanitize text into safe-HTML using fluid methods.
  9 | 
 10 | ## Requirements
 11 | 
 12 | * PHP 7.4, 8.0 or later.
 13 | * Laravel 7.x, 8.x or later.
 14 | 
 15 | ## Installation
 16 | 
 17 | Just fire up Composer:
 18 | 
 19 |     composer require darkghosthunter/larasane
 20 | 
 21 | And that's it.
 22 | 
 23 | ## Usage
 24 | 
 25 | After you receive the HTML input you want to sanitize, use the `Sanitizer` facade to do it.
 26 | 
 27 | ```php
 28 | <?php
 29 | 
 30 | use DarkGhostHunter\Larasane\Facades\Sanitizer;
 31 | 
 32 | $input = 'Trust <script src="https://malicio.us/code.js"></script> me!';
 33 | 
 34 | echo Sanitizer::input($input)->sanitize($input); // "Trust me!"
 35 | ```
 36 | 
 37 | The sanitizer has a bunch of fluid methods you can chain to allow or disallow tags and attributes, and links.
 38 | 
 39 | By default, Larasane cleans everything except the most basic tags: `a`, `b`, `br`, `blockquote`, `div`, `del`, `em`, `figcaption`, `figure`, `h1`, `h2`, `h3`, `h4`, `h5`, `h6`, `i`, `p`, `q`, `small`, `span`, `strong`, `sub`, `sup`.
 40 | 
 41 | You can enable more tags by enabling [each of the included extensions](#code-allowed), or [create your own](#adding-sanitization-extensions). 
 42 | 
 43 | > If you need to strip all tags from a string, use [`strip_tags()`](https://www.php.net/manual/function.strip-tags.php) instead.
 44 | 
 45 | ## Configuration
 46 | 
 47 | Larasane works out of the box to sanitize any tag that is not-basic, but you can configure the defaults by publishing the config file.
 48 | 
 49 |     php artisan vendor:publish --provider="DarkGhostHunter\Larasane\LarasaneServiceProvider" --tag="config"
 50 | 
 51 | You will receive the `config/larasane.php` file with the following contents.
 52 | 
 53 | ```php
 54 | <?php
 55 | 
 56 | return [
 57 |     'max_length' => 1000,
 58 |     'allow_code' => [
 59 |         'basic',
 60 |     ],
 61 |     'security' => [
 62 |         'enforced_domains' => null,
 63 |         'enforce_https' => null,
 64 |         'image_data'    => false,
 65 |         'allow_mailto'  => false,
 66 |     ],
 67 |     'tags' => [
 68 |         'div' => 'class',
 69 |         'img' => ['src', 'alt', 'title', 'class'],
 70 |         'a' => ['class', 'target'],
 71 |         'ul' => 'class',
 72 |         'ol' => 'class',
 73 |         'li' => 'class',
 74 |     ]
 75 | ];
 76 | ```
 77 | 
 78 | ### Max Length
 79 | 
 80 | ```php
 81 | return [
 82 |     'max_length' => 1000,
 83 | ];
 84 | ```
 85 | 
 86 | Inputs to sanitize will be truncated at a max length. You can change this globally, or per sanitization.
 87 | 
 88 | ```php
 89 | $sanitized = Sanitizer::for($input)->maxLength(200);
 90 | ```
 91 | 
 92 | ### Code allowed
 93 | 
 94 | ```php
 95 | return [
 96 |     'allow_code' => [
 97 |         'basic', /* 'list', 'table', 'image', 'code', 'iframe', 'details', 'extra' */
 98 |     ],
 99 | ];
100 | ```
101 | 
102 | The type tags to allow in an HTML input. These are grouped by the [name of the extension](https://github.com/tgalopin/html-sanitizer/blob/1.4.0/docs/1-getting-started.md#extensions), and only allows for basic HTML tags by default. You can override the list per-sanitization basis:   
103 | 
104 | ```php
105 | $sanitized = Sanitizer::for($input)->allowCode('basic', 'list', 'table');
106 | ```
107 | 
108 | If you need to accept custom tags, you should [create an extension](#adding-sanitization-extensions) to handle them. 
109 | 
110 | ### Security
111 | 
112 | ```php
113 | return [
114 |     'security' => [
115 |         'enforce_hosts' => null,
116 |         'enforce_https' => null,
117 |         'image_data'    => false,
118 |         'allow_mailto'  => false,
119 |     ],
120 | ];
121 | ```
122 | 
123 | This groups some security features for handling links in `<a>`, `<img>` and `<iframe>` tags. These all can be overridden at runtime.
124 | 
125 | ```php
126 | $input = Sanitizer::for($input)
127 |                   ->hosts('myapp.com')
128 |                   ->enforceHttps(true)
129 |                   ->imageData(true)
130 |                   ->allowMailto(true);
131 | ```
132 | 
133 | #### `enforce_hosts`
134 | 
135 | You can set here a list of hosts to allow links, like `myapp.com`.
136 | 
137 | If `null`, no link protection will be enforced, so will allow links to point anywhere. If the list is empty, links on tags will appear empty.
138 | 
139 | #### `enforce_https`
140 | 
141 | Enforces HTTPS links, which will transform each link to `https` scheme. This is mostly required on `<iframe>`.
142 | 
143 | If `null`, it will be only enabled on production environments. 
144 | 
145 | #### `image_data`
146 | 
147 | Allow `<img>` to include image data in the source tag. This is sometimes desirable for small icons or images, as the image will be _embedded_ in the HTML code instead of being linked elsewhere.
148 | 
149 | ```html
150 | <img src="data:image/gif;base64,R0lGODlhEAAQAMQAAORHHOVSKudfOu..." />
151 | ```
152 | 
153 | #### `allow_mailto`
154 | 
155 | The `<a>` tags can have mail links. This simply allows or disallows them.
156 | 
157 | ### Tags
158 | 
159 | ```php
160 | return [
161 |     'tags' => [
162 |         'div' => 'class',
163 |         'img' => ['src', 'alt', 'title', 'class'],
164 |         'a' => ['class', 'target'],
165 |         'ul' => 'class',
166 |         'ol' => 'class',
167 |         'li' => 'class',
168 |     ]
169 | ];
170 | ```
171 | 
172 | This is an array of allowed attributes for each tag that is sanitized. This may be useful for allow styling or disallow problematic attributes on the frontend. This can be overriden at runtime.
173 | 
174 | ```php
175 | $sanitized = Sanitizer::for($input)->tagAttributes('a', 'class', 'target');
176 | ```
177 | 
178 | ## Adding Sanitization Extensions
179 | 
180 | You can create your own tag parsing extensions if you need more functionality apart from the ones included, like parsing custom tags. Once you [create your custom extension](https://github.com/tgalopin/html-sanitizer/blob/1.4.0/docs/2-creating-an-extension-to-allow-custom-tags.md), you can use `extend()` to add it to the Sanitizer builder in your `AppServiceProvider` or similar.
181 | 
182 | ```php
183 | 
184 | use HtmlSanitizer\SanitizerBuilder;
185 | use App\Sanitizer\MyExtension;
186 | 
187 | /**
188 |  * Register the application services.
189 |  *
190 |  * @return void
191 |  */
192 | public function register()
193 | {
194 |     $this->app->extend(SanitizerBuilder::class, function (SanitizerBuilder $builder) {
195 |         return $builder->registerExtension(new MyExtension());
196 |     });
197 | }
198 | ```
199 | 
200 | ## License
201 | 
202 | This package is licenced by the [MIT License](LICENSE).
203 | 


--------------------------------------------------------------------------------
/tests/PendingSanitizationTest.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | 
  3 | namespace Tests;
  4 | 
  5 | use DarkGhostHunter\Larasane\Facades\Sanitizer;
  6 | use Orchestra\Testbench\TestCase;
  7 | 
  8 | class PendingSanitizationTest extends TestCase
  9 | {
 10 |     use RegistersPackage;
 11 | 
 12 |     public function test_max_length(): void
 13 |     {
 14 |         $this->app->make('config')->set('larasane.max_length', 4);
 15 | 
 16 |         $input = 'This <script></script>should <strong>cut here</strong> or it is bad';
 17 | 
 18 |         static::assertEquals('This', Sanitizer::input($input)->sanitize());
 19 |         static::assertEquals('This should <strong>cut here</strong>', Sanitizer::maxLength(54)->input($input)->sanitize());
 20 |     }
 21 | 
 22 |     public function test_overrides_extension(): void
 23 |     {
 24 |         $this->app->make('config')->set('larasane.allow_code', ['basic', 'table']);
 25 | 
 26 |         $input = '<ul><li>I should see this</li></ul> <table>But not this</table>';
 27 | 
 28 |         static::assertEquals(
 29 |             'I should see this <table>But not this</table>',
 30 |             Sanitizer::input($input)->sanitize()
 31 |         );
 32 | 
 33 |         static::assertEquals(
 34 |             '<ul><li>I should see this</li></ul> But not this',
 35 |             Sanitizer::input($input)->allowCode('list')->sanitize()
 36 |         );
 37 |     }
 38 | 
 39 |     public function test_default_allows_any_host(): void
 40 |     {
 41 |         $input = 'Go to <a href="https://www.google.com">Google</a>.';
 42 | 
 43 |         static::assertEquals(
 44 |             $input,
 45 |             Sanitizer::input($input)->sanitize()
 46 |         );
 47 |     }
 48 | 
 49 |     public function test_overrides_allows_any_host(): void
 50 |     {
 51 |         $input = 'Go to <a href="https://www.google.com">Google</a>.';
 52 | 
 53 |         static::assertEquals(
 54 |             $input,
 55 |             Sanitizer::input($input)->anyHost()->sanitize()
 56 |         );
 57 | 
 58 |         config()->set('larasane.security.enforce_hosts', []);
 59 | 
 60 |         static::assertEquals(
 61 |             'Go to <a>Google</a>.',
 62 |             Sanitizer::input($input)->anyHost()->sanitize()
 63 |         );
 64 | 
 65 |     }
 66 | 
 67 |     public function test_overrides_hosts_for_list(): void
 68 |     {
 69 |         $input = 'Go to <a href="https://www.google.com/useful.js">Google</a>.';
 70 | 
 71 |         static::assertEquals(
 72 |             $input,
 73 |             Sanitizer::input($input)->hosts('google.com')->sanitize()
 74 |         );
 75 | 
 76 |         $input = 'Go to <a href="https://www.malicio.us/code.js">Google</a>.';
 77 | 
 78 |         static::assertEquals(
 79 |             'Go to <a>Google</a>.',
 80 |             Sanitizer::input($input)->hosts('google.com')->sanitize()
 81 |         );
 82 |     }
 83 | 
 84 |     public function test_overrides_host_for_unallowed_links(): void
 85 |     {
 86 |         $input = 'Go to <a href="https://www.google.com/useful.js">Google</a>.';
 87 | 
 88 |         static::assertEquals(
 89 |             'Go to <a>Google</a>.',
 90 |             Sanitizer::input($input)->disallowLinks()->sanitize()
 91 |         );
 92 |     }
 93 | 
 94 |     public function test_defaults_accepts_https_in_production(): void
 95 |     {
 96 |         $this->app['env'] = 'production';
 97 |         config()->set('larasane.allow_code', ['basic', 'image', 'iframe']);
 98 | 
 99 |         $input = 'Go to <a href="http://myapp.com/useful.js">My Site</a>.';
100 | 
101 |         static::assertEquals(
102 |             'Go to <a href="https://myapp.com/useful.js">My Site</a>.',
103 |             Sanitizer::input($input)->sanitize()
104 |         );
105 | 
106 |         $input = 'Check my <img src="http://myapp.com/image.png" alt="image" />';
107 | 
108 |         static::assertEquals(
109 |             'Check my <img src="https://myapp.com/image.png" alt="image" />',
110 |             Sanitizer::input($input)->sanitize()
111 |         );
112 | 
113 |         $input = 'Look into <iframe src="http://myapp.com/useful"></iframe>';
114 | 
115 |         static::assertEquals(
116 |             'Look into <iframe src="https://myapp.com/useful"></iframe>',
117 |             Sanitizer::input($input)->sanitize()
118 |         );
119 |     }
120 | 
121 |     public function test_does_not_enforces_http(): void
122 |     {
123 |         config()->set('larasane.allow_code', ['basic', 'image', 'iframe']);
124 | 
125 |         $input = 'Go to <a href="http://myapp.com/useful.js">My Site</a>.';
126 | 
127 |         static::assertEquals(
128 |             $input,
129 |             Sanitizer::input($input)->enforceHttps(false)->sanitize()
130 |         );
131 | 
132 |         $input = 'Check my <img src="http://myapp.com/image.png" alt="image" />';
133 | 
134 |         static::assertEquals(
135 |             $input,
136 |             Sanitizer::input($input)->enforceHttps(false)->sanitize()
137 |         );
138 | 
139 |         $input = 'Look into <iframe src="http://myapp.com/useful"></iframe>';
140 | 
141 |         static::assertEquals(
142 |             $input,
143 |             Sanitizer::input($input)->enforceHttps(false)->sanitize()
144 |         );
145 |     }
146 | 
147 |     public function test_defaults_doesnt_allows_data_image(): void
148 |     {
149 |         config()->set('larasane.allow_code', ['image']);
150 | 
151 |         $input = 'Check my <img src="data:image/gif;base64,123456789" alt="image" />.';
152 | 
153 |         static::assertEquals(
154 |             'Check my <img alt="image" />.',
155 |             Sanitizer::input($input)->sanitize()
156 |         );
157 |     }
158 | 
159 |     public function test_overrides_data_image(): void
160 |     {
161 |         config()->set('larasane.allow_code', ['image']);
162 | 
163 |         $input = 'Check my <img src="data:image/gif;base64,123456789" alt="image" />.';
164 | 
165 |         static::assertEquals(
166 |             $input,
167 |             Sanitizer::input($input)->imageData(true)->sanitize()
168 |         );
169 |     }
170 | 
171 |     public function test_defaults_no_mailto_link(): void
172 |     {
173 |         $input = 'Send email to <a href="mailto:foo&#64;bar.com">me</a>.';
174 | 
175 |         static::assertEquals(
176 |             'Send email to <a>me</a>.',
177 |             Sanitizer::input($input)->sanitize()
178 |         );
179 |     }
180 | 
181 |     public function test_overrides_mailto_link(): void
182 |     {
183 |         $input = 'Send email to <a href="mailto:foo&#64;bar.com">me</a>.';
184 | 
185 |         static::assertEquals(
186 |             $input,
187 |             Sanitizer::input($input)->allowMailto()->sanitize()
188 |         );
189 |     }
190 | 
191 |     public function test_overrides_tags_attributes(): void
192 |     {
193 |         $input = 'This is <strong class="important">important</strong>.';
194 | 
195 |         static::assertEquals(
196 |             'This is <strong>important</strong>.',
197 |             Sanitizer::input($input)->sanitize()
198 |         );
199 | 
200 |         static::assertEquals(
201 |             $input,
202 |             Sanitizer::input($input)->tagAttributes('strong', 'class')->sanitize()
203 |         );
204 |     }
205 | 
206 |     public function test_overrides_tag_config(): void
207 |     {
208 |         $input = 'Send email to <a href="mailto:foo&#64;bar.com">me</a>.';
209 | 
210 |         static::assertEquals(
211 |             $input,
212 |             Sanitizer::input($input)->tagConfig('a', 'allow_mailto', true)->sanitize()
213 |         );
214 |     }
215 | 
216 |     protected function tearDown(): void
217 |     {
218 |         @unlink($this->app->configPath('larasane.php'));
219 | 
220 |         parent::tearDown();
221 |     }
222 | }


--------------------------------------------------------------------------------