├── .gitignore
├── LICENSE
├── README.md
├── composer.json
├── config
    └── blade-escape.php
└── src
    └── Providers
        └── BladeEscapeServiceProvider.php


/.gitignore:
--------------------------------------------------------------------------------
1 | composer.lock
2 | vendor
3 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | Copyright (c) 2016 Leonid Shumakov
 2 | 
 3 | Permission is hereby granted, free of charge, to any person obtaining a copy of
 4 | this software and associated documentation files (the "Software"), to deal in
 5 | the Software without restriction, including without limitation the rights to
 6 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
 7 | of the Software, and to permit persons to whom the Software is furnished to do
 8 | so, subject to the following conditions:
 9 | 
10 | The above copyright notice and this permission notice shall be included in all
11 | copies or substantial portions of the Software.
12 | 
13 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
14 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
15 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
16 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
17 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
18 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
19 | SOFTWARE.
20 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Blade Escape - fight against XSS
 2 | 
 3 | Blade Escape is a service provider that extends `Blade` directives and allows use `Laragems\Escape` library.
 4 | 
 5 | ```php
 6 | <div style="background-color: @css($color);">
 7 |     <label>@text($label)</label>
 8 |     <input type="text" name="custom" value="@attr($value)"/>
 9 | </div>
10 | <a href="/profile?u=@param($username)">Profile</a>
11 | <button onclick="callMyFunction('@js($username)');">Validate</button>
12 | <script>
13 |     var username = "@js($username)";
14 | </script>
15 | ```
16 | 
17 | ## Installation
18 | ```shell
19 | composer require laravelgems/blade-escape
20 | ```
21 | 
22 | After that add service provider to a `config\app.php`
23 | ```php
24 |         /*
25 |          * Package Service Providers...
26 |          */
27 |          ...
28 |          LaravelGems\BladeEscape\Providers\BladeEscapeServiceProvider::class,
29 |          ...
30 | ```
31 | 
32 | ## HTML - @text($variable), safe
33 | ```php
34 | <p>@text($resume)</p>
35 | <div>@text($bio)</div>
36 | ```
37 | 
38 | ## HTML Attribute - @attr(@variable), safe when following rules
39 | Attribute's value should be quoted. For usage with whitelist attributes: align, alink, alt, bgcolor, border, cellpadding, cellspacing, class, color, cols, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight, marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan, scrolling, shape, span, summary, tabindex, title, usemap, valign, value, vlink, vspace, width
40 | 
41 | ```php
42 | <input type="text" value="@attr($variable)"/>
43 | <img src="image.png" alt="@attr($variable)"/>
44 | ```
45 | 
46 | ## URL Parameter - @param($variable), safe
47 | ```php
48 | <a href="search?keyword=@param($variable)">Click Me</a>
49 | ```
50 | 
51 | ## Javascript Parameter - @js($variable), safe when following rules
52 | Value should be quoted. Avoid using dangerous functions (eval and so on), example - `setTimeout("@js($variable)")` (can be hacked!)
53 | 
54 | ```php
55 | <script>
56 |     var username = "@js($variable)";
57 | </script>
58 | <a href="#" onclick="displayDialog('@js($title)');">Click</a>
59 | ```
60 | 
61 | ## CSS - @css($variable), safe when following rules
62 | Surrounded by quotes. Avoid complex properties like `url`, `behavior` and custom (`-moz-binding`). Do not put untrusted data into IE's expression property value
63 | ```php
64 | <style>
65 |     .article { background-color: '@css($color)';}
66 | </style>
67 | <span style="width: '@css($width)';"></span>
68 | ```
69 | 
70 | **Must Read:** [QWASP - XSS Prevention Cheat Sheet](https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet)
71 | 
72 | 
73 | You don't like the names of directives. Ok, just change them in a published config.
74 | 


--------------------------------------------------------------------------------
/composer.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "name": "laravelgems/blade-escape",
 3 |     "description": "Custom blade directives to figth against XSS",
 4 |     "license": "MIT",
 5 |     "version": "1.0.0",
 6 |     "authors": [
 7 |         {
 8 |             "name": "Leonid Shumakov",
 9 |             "email": "leonid.shumakov@laragems.com"
10 |         }
11 |     ],
12 |     "require": {
13 |         "illuminate/support": "5.*",
14 |         "laravelgems/escape": "1.*"
15 |     },
16 |     "autoload": {
17 |         "psr-4": {
18 |             "LaravelGems\\BladeEscape\\": "src/"
19 |         }
20 |     },
21 |     "require-dev": {}
22 | }
23 | 


--------------------------------------------------------------------------------
/config/blade-escape.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | return [
 4 |     // 'css' is a default directive name for escaping CSS
 5 |     'css'   => 'css',
 6 | 
 7 |     // 'text' is a default directive name for escaping text
 8 |     'text'  => 'text',
 9 | 
10 |     // 'attr' is a default directive name for escaping html attribute
11 |     'attr'  => 'attr',
12 | 
13 |     // 'js' is a default directive name for escaping javascript variables
14 |     'js'    => 'js',
15 | 
16 |     // 'param' is a default directive name for escaping GET param in URL
17 |     'param' => 'param'
18 | ];
19 | 


--------------------------------------------------------------------------------
/src/Providers/BladeEscapeServiceProvider.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | namespace LaravelGems\BladeEscape\Providers;
 4 | 
 5 | use Illuminate\Support\Facades\Blade;
 6 | use Illuminate\Support\ServiceProvider;
 7 | 
 8 | class BladeEscapeServiceProvider extends ServiceProvider
 9 | {
10 |     /**
11 |      * Bootstrap the application services.
12 |      *
13 |      * @return void
14 |      */
15 |     public function boot()
16 |     {
17 |         $this->publishes([
18 |             __DIR__.'/../../config/blade-escape.php' => config_path('blade-escape.php'),
19 |         ], 'config');
20 | 
21 | 
22 |         Blade::directive(config('blade-escape.text'), function ($expression) {
23 |             return "<?php echo LaravelGems\\Escape\\HTML::text($expression); ?>";
24 |         });
25 | 
26 |         Blade::directive(config('blade-escape.attr'), function ($expression) {
27 |             return "<?php echo LaravelGems\\Escape\\HTML::attr($expression); ?>";
28 |         });
29 | 
30 |         Blade::directive(config('blade-escape.css'), function ($expression) {
31 |             return "<?php echo LaravelGems\\Escape\\HTML::css($expression); ?>";
32 |         });
33 | 
34 |         Blade::directive(config('blade-escape.js'), function ($expression) {
35 |             return "<?php echo LaravelGems\\Escape\\HTML::js($expression); ?>";
36 |         });
37 | 
38 |         Blade::directive(config('blade-escape.param'), function ($expression) {
39 |             return "<?php echo LaravelGems\\Escape\\HTML::param($expression); ?>";
40 |         });
41 |     }
42 | 
43 |     /**
44 |      * Register the application services.
45 |      *
46 |      * @return void
47 |      */
48 |     public function register()
49 |     {
50 |         $this->mergeConfigFrom(
51 |             __DIR__.'/../../config/blade-escape.php', 'blade-escape'
52 |         );
53 |     }
54 | }
55 | 


--------------------------------------------------------------------------------