Skip to content

Commit

Permalink
Merge pull request #7 from laravel-shift/l11-compatibility
Browse files Browse the repository at this point in the history
Laravel 11.x Compatibility
  • Loading branch information
pascalbaljet authored Mar 14, 2024
2 parents 0379f9b + 72d4d83 commit 572752e
Show file tree
Hide file tree
Showing 9 changed files with 79 additions and 60 deletions.
13 changes: 9 additions & 4 deletions .github/workflows/run-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,23 +2,28 @@ name: run-tests

on:
push:
branches: [main]
branches:
- main
pull_request:
branches: [main]
branches:
- main

jobs:
test:
runs-on: ${{ matrix.os }}

strategy:
fail-fast: true
matrix:
os: [ubuntu-latest]
php: [8.3, 8.2, 8.1]
laravel: [10.*]
php: [8.3, 8.2]
laravel: ["10.*", "11.*"]
stability: [prefer-lowest, prefer-stable]
include:
- laravel: 10.*
testbench: ^8.0
- laravel: 11.*
testbench: ^9.0

name: P${{ matrix.php }} - L${{ matrix.laravel }} - ${{ matrix.stability }} - ${{ matrix.os }}

Expand Down
27 changes: 20 additions & 7 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@

Laravel Middleware to protect your app against Cross-site scripting (XSS). It sanitizes request input by utilising the [Laravel Security](https://github.com/GrahamCampbell/Laravel-Security) package, and it can sanatize [Blade echo statements](https://laravel.com/docs/8.x/blade#displaying-data) as well.

* PHP 8.1 and higher
* Laravel 10
* PHP 8.2 and higher
* Laravel 10 and higher

## Sponsor this package!

Expand Down Expand Up @@ -108,6 +108,21 @@ Event::listen(function (MaliciousInputFound $event) {
});
```

### Additional configuration for `voku/anti-xss`

As of version 1.6.0, you may provide additional configuration for the `voku/anti-xss` package. You may do this by filling the `middleware.anti_xss` key. This is similar to the [Laravel Security](https://github.com/GrahamCampbell/Laravel-Security) package, which this package used to rely on.

```php
'anti_xss' => [
'evil' => [
'attributes' => ['href'],
'tags' => ['video'],
],

'replacement' => '*redacted*',
]
```

## Changelog

Please see [CHANGELOG](CHANGELOG.md) for more information about what has changed recently.
Expand All @@ -124,17 +139,15 @@ Please see [CONTRIBUTING](CONTRIBUTING.md) for details.

## Other Laravel packages

* [`Laravel Analytics Event Tracking`](https://github.com/protonemedia/laravel-analytics-event-tracking): Laravel package to easily send events to Google Analytics.
* [`Laravel Blade On Demand`](https://github.com/protonemedia/laravel-blade-on-demand): Laravel package to compile Blade templates in memory.
* [`Laravel Cross Eloquent Search`](https://github.com/protonemedia/laravel-cross-eloquent-search): Laravel package to search through multiple Eloquent models.
* [`Laravel Eloquent Scope as Select`](https://github.com/protonemedia/laravel-eloquent-scope-as-select): Stop duplicating your Eloquent query scopes and constraints in PHP. This package lets you re-use your query scopes and constraints by adding them as a subquery.
* [`Laravel Eloquent Where Not`](https://github.com/protonemedia/laravel-eloquent-where-not): This Laravel package allows you to flip/invert an Eloquent scope, or really any query constraint.
* [`Laravel FFMpeg`](https://github.com/protonemedia/laravel-ffmpeg): This package provides integration with FFmpeg for Laravel. The storage of the files is handled by Laravel's Filesystem.
* [`Laravel Form Components`](https://github.com/protonemedia/laravel-form-components): Blade components to rapidly build forms with Tailwind CSS Custom Forms and Bootstrap 4. Supports validation, model binding, default values, translations, includes default vendor styling and fully customizable!
* [`Laravel FFMpeg`](https://github.com/protonemedia/laravel-ffmpeg): This package provides an integration with FFmpeg for Laravel. The storage of the files is handled by Laravel's Filesystem.
* [`Laravel MinIO Testing Tools`](https://github.com/protonemedia/laravel-minio-testing-tools): Run your tests against a MinIO S3 server.
* [`Laravel Mixins`](https://github.com/protonemedia/laravel-mixins): A collection of Laravel goodies.
* [`Laravel Paddle`](https://github.com/protonemedia/laravel-paddle): Paddle.com API integration for Laravel with support for webhooks/events.
* [`Laravel Task Runner`](https://github.com/protonemedia/laravel-task-runner): Write Shell scripts like Blade Components and run them locally or on a remote server.
* [`Laravel Verify New Email`](https://github.com/protonemedia/laravel-verify-new-email): This package adds support for verifying new email addresses: when a user updates its email address, it won't replace the old one until the new one is verified.
* [`Laravel WebDAV`](https://github.com/protonemedia/laravel-webdav): WebDAV driver for Laravel's Filesystem.

## Security

Expand Down
13 changes: 7 additions & 6 deletions composer.json
Original file line number Diff line number Diff line change
Expand Up @@ -16,14 +16,15 @@
}
],
"require": {
"php": "^8.1|^8.2|^8.3",
"graham-campbell/security": "^11.0",
"illuminate/contracts": "^10.0",
"php": "^8.2|^8.3",
"graham-campbell/security-core": "^4.0",
"illuminate/contracts": "^10.0|^11.0",
"spatie/laravel-package-tools": "^1.9.2"
},
"require-dev": {
"nunomaduro/collision": "^7.0",
"orchestra/testbench": "^8.0",
"laravel/pint": "^1.14",
"nunomaduro/collision": "^7.0|^8.0",
"orchestra/testbench": "^8.0|^9.0",
"pestphp/pest": "^2.0",
"pestphp/pest-plugin-laravel": "^2.0",
"phpunit/phpunit": "^10.4"
Expand Down Expand Up @@ -58,4 +59,4 @@
},
"minimum-stability": "dev",
"prefer-stable": true
}
}
11 changes: 11 additions & 0 deletions config/xss-protection.php
Original file line number Diff line number Diff line change
Expand Up @@ -18,4 +18,15 @@

'dispatch_event_on_malicious_input' => false,
],

// Additional configuration for the underlying voku/anti-xss package
// See: https://github.com/GrahamCampbell/Laravel-Security/blob/11.1/config/security.php
'anti_xss' => [
'evil' => [
'attributes' => null,
'tags' => null,
],

'replacement' => null,
],
];
3 changes: 1 addition & 2 deletions src/Events/MaliciousInputFound.php
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,6 @@ public function __construct(
public array $sanitizedKeys,
public Request $originalRequest,
public Request $sanitizedRequest
)
{
) {
}
}
33 changes: 7 additions & 26 deletions src/Middleware/XssCleanInput.php
Original file line number Diff line number Diff line change
Expand Up @@ -11,20 +11,6 @@

class XssCleanInput extends TransformsRequest
{
/**
* The security instance.
*
* @var \GrahamCampbell\SecurityCore\Security
*/
protected $security;

/**
* The Blade echo cleaner instance.
*
* @var \ProtoneMedia\LaravelXssProtection\Cleaners\BladeEchoes
*/
protected $bladeEchoCleaner;

/**
* All of the registered skip callbacks.
*
Expand Down Expand Up @@ -63,22 +49,20 @@ class XssCleanInput extends TransformsRequest
/**
* Create a new instance.
*
* @param \GrahamCampbell\SecurityCore\Security $security
* @param \ProtoneMedia\LaravelXssProtection\Cleaners\BladeEchoes $bladeEchoCleaner
*
* @return void
*/
public function __construct(Security $security, BladeEchoes $bladeEchoCleaner)
{
$this->security = $security;
$this->bladeEchoCleaner = $bladeEchoCleaner;
public function __construct(
protected Security $security,
protected BladeEchoes $bladeEchoCleaner
) {
//
}

/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @return mixed
*/
public function handle($request, Closure $next)
Expand Down Expand Up @@ -149,7 +133,7 @@ protected function transform($key, $value)

$output = $this->security->clean((string) $value);

if (!$this->enabledInConfig('allow_blade_echoes')) {
if (! $this->enabledInConfig('allow_blade_echoes')) {
$output = $this->bladeEchoCleaner->clean((string) $output);
}

Expand All @@ -165,8 +149,7 @@ protected function transform($key, $value)
/**
* Returns a boolean whether an option has been enabled.
*
* @param string $key
* @return boolean
* @param string $key
*/
private function enabledInConfig($key): bool
{
Expand All @@ -176,7 +159,6 @@ private function enabledInConfig($key): bool
/**
* Register a callback that instructs the middleware to be skipped.
*
* @param \Closure $callback
* @return void
*/
public static function skipWhen(Closure $callback)
Expand All @@ -187,7 +169,6 @@ public static function skipWhen(Closure $callback)
/**
* Register a callback that instructs the middleware to be skipped.
*
* @param \Closure $callback
* @return void
*/
public static function skipKeyWhen(Closure $callback)
Expand Down
9 changes: 9 additions & 0 deletions src/ServiceProvider.php
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

namespace ProtoneMedia\LaravelXssProtection;

use GrahamCampbell\SecurityCore\Security;
use Spatie\LaravelPackageTools\Package;
use Spatie\LaravelPackageTools\PackageServiceProvider;

Expand All @@ -18,4 +19,12 @@ public function configurePackage(Package $package): void
->name('laravel-xss-protection')
->hasConfigFile();
}

public function packageBooted()
{
$this->app->singleton(Security::class, fn () => Security::create(
config('xss-protection.anti_xss.evil'),
config('xss-protection.anti_xss.replacement')
));
}
}
28 changes: 14 additions & 14 deletions tests/MiddlewareTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -61,10 +61,10 @@

it('doesnt interfere with booleans, numbers and null values', function () {
$request = Request::createFromGlobals()->merge([
'yes' => true,
'no' => false,
'one' => 1,
'pi' => 3.14,
'yes' => true,
'no' => false,
'one' => 1,
'pi' => 3.14,
'null' => null,
]);

Expand Down Expand Up @@ -143,11 +143,11 @@ class ExceptXssCleanInput extends XssCleanInput
}

$request = Request::createFromGlobals()->merge([
'key' => 'test<script>script</script>',
'key' => 'test<script>script</script>',
'allow' => 'test<script>script</script>',

'nested' => [
'key' => 'test<script>script</script>',
'key' => 'test<script>script</script>',
'allowed' => 'test<script>script</script>',
],
]);
Expand All @@ -166,12 +166,12 @@ class ExceptXssCleanInput extends XssCleanInput
it('can trim blade echoes', function () {
$request = Request::createFromGlobals()->merge([
'key' => 'test',
'a' => '{{ $test }}',
'b' => '{!! $test !!}',
'c' => '{{{ $test }}}',
'd' => 'd{{ $test }}',
'e' => 'e{!! $test !!}',
'f' => 'f{{{ $test }}}',
'a' => '{{ $test }}',
'b' => '{!! $test !!}',
'c' => '{{{ $test }}}',
'd' => 'd{{ $test }}',
'e' => 'e{!! $test !!}',
'f' => 'f{{{ $test }}}',
]);

config(['xss-protection.middleware.completely_replace_malicious_input' => false]);
Expand All @@ -198,11 +198,11 @@ class ExceptXssCleanInput extends XssCleanInput
});

$request = Request::createFromGlobals()->merge([
'key' => 'test<script>script</script>',
'key' => 'test<script>script</script>',
'allow' => 'test<script>script</script>',

'nested' => [
'key' => 'test<script>script</script>',
'key' => 'test<script>script</script>',
'allowed' => 'test<script>script</script>',
],
]);
Expand Down
2 changes: 1 addition & 1 deletion tests/TestCase.php
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ protected function setUp(): void
parent::setUp();

Factory::guessFactoryNamesUsing(
fn (string $modelName) => 'ProtoneMedia\\LaravelXssProtection\\Database\\Factories\\' . class_basename($modelName) . 'Factory'
fn (string $modelName) => 'ProtoneMedia\\LaravelXssProtection\\Database\\Factories\\'.class_basename($modelName).'Factory'
);
}

Expand Down

0 comments on commit 572752e

Please sign in to comment.