From 2520c1bffd0efdefe4078ac67770be765f887337 Mon Sep 17 00:00:00 2001 From: Shift Date: Tue, 27 Feb 2024 19:27:59 +0000 Subject: [PATCH 1/4] Bump dependencies for Laravel 11 --- composer.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/composer.json b/composer.json index 2fed5aa..ba5c91b 100644 --- a/composer.json +++ b/composer.json @@ -18,12 +18,12 @@ "require": { "php": "^8.1|^8.2|^8.3", "graham-campbell/security": "^11.0", - "illuminate/contracts": "^10.0", + "illuminate/contracts": "^10.0|^11.0", "spatie/laravel-package-tools": "^1.9.2" }, "require-dev": { - "nunomaduro/collision": "^7.0", - "orchestra/testbench": "^8.0", + "nunomaduro/collision": "^7.0|^8.0", + "orchestra/testbench": "^8.0|^9.0", "pestphp/pest": "^2.0", "pestphp/pest-plugin-laravel": "^2.0", "phpunit/phpunit": "^10.4" @@ -58,4 +58,4 @@ }, "minimum-stability": "dev", "prefer-stable": true -} \ No newline at end of file +} From 35a20b42db4dc4bf37599892711493cae2d907fa Mon Sep 17 00:00:00 2001 From: Shift Date: Tue, 27 Feb 2024 19:27:59 +0000 Subject: [PATCH 2/4] Update GitHub Actions for Laravel 11 --- .github/workflows/run-tests.yml | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml index c5d62fe..1dcf9be 100644 --- a/.github/workflows/run-tests.yml +++ b/.github/workflows/run-tests.yml @@ -2,23 +2,31 @@ name: run-tests on: push: - branches: [main] + branches: + - main pull_request: - branches: [main] + branches: + - main jobs: test: runs-on: ${{ matrix.os }} + strategy: fail-fast: true matrix: os: [ubuntu-latest] php: [8.3, 8.2, 8.1] - laravel: [10.*] + laravel: ['10.*', '11.*'] stability: [prefer-lowest, prefer-stable] include: - laravel: 10.* testbench: ^8.0 + - laravel: 11.* + testbench: ^9.0 + exclude: + - laravel: 11.* + php: 8.1 name: P${{ matrix.php }} - L${{ matrix.laravel }} - ${{ matrix.stability }} - ${{ matrix.os }} From be2e5ba2939437f2209e689f852ae429a2cdf7e7 Mon Sep 17 00:00:00 2001 From: Pascal Baljet Date: Thu, 14 Mar 2024 13:58:32 +0100 Subject: [PATCH 3/4] Use `graham-campbell/security-core` instead of `graham-campbell/security` --- composer.json | 5 +++-- config/xss-protection.php | 11 ++++++++++ src/Events/MaliciousInputFound.php | 3 +-- src/Middleware/XssCleanInput.php | 33 +++++++----------------------- src/ServiceProvider.php | 9 ++++++++ tests/MiddlewareTest.php | 28 ++++++++++++------------- tests/TestCase.php | 2 +- 7 files changed, 46 insertions(+), 45 deletions(-) diff --git a/composer.json b/composer.json index ba5c91b..15c728f 100644 --- a/composer.json +++ b/composer.json @@ -16,12 +16,13 @@ } ], "require": { - "php": "^8.1|^8.2|^8.3", - "graham-campbell/security": "^11.0", + "php": "^8.2|^8.3", + "graham-campbell/security-core": "^4.0", "illuminate/contracts": "^10.0|^11.0", "spatie/laravel-package-tools": "^1.9.2" }, "require-dev": { + "laravel/pint": "^1.14", "nunomaduro/collision": "^7.0|^8.0", "orchestra/testbench": "^8.0|^9.0", "pestphp/pest": "^2.0", diff --git a/config/xss-protection.php b/config/xss-protection.php index e702233..9e62932 100644 --- a/config/xss-protection.php +++ b/config/xss-protection.php @@ -18,4 +18,15 @@ 'dispatch_event_on_malicious_input' => false, ], + + // Additional configuration for the underlying voku/anti-xss package + // See: https://github.com/GrahamCampbell/Laravel-Security/blob/11.1/config/security.php + 'anti_xss' => [ + 'evil' => [ + 'attributes' => null, + 'tags' => null, + ], + + 'replacement' => null, + ], ]; diff --git a/src/Events/MaliciousInputFound.php b/src/Events/MaliciousInputFound.php index 9cd1383..24f0776 100644 --- a/src/Events/MaliciousInputFound.php +++ b/src/Events/MaliciousInputFound.php @@ -10,7 +10,6 @@ public function __construct( public array $sanitizedKeys, public Request $originalRequest, public Request $sanitizedRequest - ) - { + ) { } } diff --git a/src/Middleware/XssCleanInput.php b/src/Middleware/XssCleanInput.php index 9252d4d..e8b81a8 100644 --- a/src/Middleware/XssCleanInput.php +++ b/src/Middleware/XssCleanInput.php @@ -11,20 +11,6 @@ class XssCleanInput extends TransformsRequest { - /** - * The security instance. - * - * @var \GrahamCampbell\SecurityCore\Security - */ - protected $security; - - /** - * The Blade echo cleaner instance. - * - * @var \ProtoneMedia\LaravelXssProtection\Cleaners\BladeEchoes - */ - protected $bladeEchoCleaner; - /** * All of the registered skip callbacks. * @@ -63,22 +49,20 @@ class XssCleanInput extends TransformsRequest /** * Create a new instance. * - * @param \GrahamCampbell\SecurityCore\Security $security - * @param \ProtoneMedia\LaravelXssProtection\Cleaners\BladeEchoes $bladeEchoCleaner * * @return void */ - public function __construct(Security $security, BladeEchoes $bladeEchoCleaner) - { - $this->security = $security; - $this->bladeEchoCleaner = $bladeEchoCleaner; + public function __construct( + protected Security $security, + protected BladeEchoes $bladeEchoCleaner + ) { + // } /** * Handle an incoming request. * * @param \Illuminate\Http\Request $request - * @param \Closure $next * @return mixed */ public function handle($request, Closure $next) @@ -149,7 +133,7 @@ protected function transform($key, $value) $output = $this->security->clean((string) $value); - if (!$this->enabledInConfig('allow_blade_echoes')) { + if (! $this->enabledInConfig('allow_blade_echoes')) { $output = $this->bladeEchoCleaner->clean((string) $output); } @@ -165,8 +149,7 @@ protected function transform($key, $value) /** * Returns a boolean whether an option has been enabled. * - * @param string $key - * @return boolean + * @param string $key */ private function enabledInConfig($key): bool { @@ -176,7 +159,6 @@ private function enabledInConfig($key): bool /** * Register a callback that instructs the middleware to be skipped. * - * @param \Closure $callback * @return void */ public static function skipWhen(Closure $callback) @@ -187,7 +169,6 @@ public static function skipWhen(Closure $callback) /** * Register a callback that instructs the middleware to be skipped. * - * @param \Closure $callback * @return void */ public static function skipKeyWhen(Closure $callback) diff --git a/src/ServiceProvider.php b/src/ServiceProvider.php index b9b6407..96a36b5 100644 --- a/src/ServiceProvider.php +++ b/src/ServiceProvider.php @@ -2,6 +2,7 @@ namespace ProtoneMedia\LaravelXssProtection; +use GrahamCampbell\SecurityCore\Security; use Spatie\LaravelPackageTools\Package; use Spatie\LaravelPackageTools\PackageServiceProvider; @@ -18,4 +19,12 @@ public function configurePackage(Package $package): void ->name('laravel-xss-protection') ->hasConfigFile(); } + + public function packageBooted() + { + $this->app->singleton(Security::class, fn () => Security::create( + config('xss-protection.anti_xss.evil'), + config('xss-protection.anti_xss.replacement') + )); + } } diff --git a/tests/MiddlewareTest.php b/tests/MiddlewareTest.php index 893b4f2..4179ccf 100644 --- a/tests/MiddlewareTest.php +++ b/tests/MiddlewareTest.php @@ -61,10 +61,10 @@ it('doesnt interfere with booleans, numbers and null values', function () { $request = Request::createFromGlobals()->merge([ - 'yes' => true, - 'no' => false, - 'one' => 1, - 'pi' => 3.14, + 'yes' => true, + 'no' => false, + 'one' => 1, + 'pi' => 3.14, 'null' => null, ]); @@ -143,11 +143,11 @@ class ExceptXssCleanInput extends XssCleanInput } $request = Request::createFromGlobals()->merge([ - 'key' => 'test', + 'key' => 'test', 'allow' => 'test', 'nested' => [ - 'key' => 'test', + 'key' => 'test', 'allowed' => 'test', ], ]); @@ -166,12 +166,12 @@ class ExceptXssCleanInput extends XssCleanInput it('can trim blade echoes', function () { $request = Request::createFromGlobals()->merge([ 'key' => 'test', - 'a' => '{{ $test }}', - 'b' => '{!! $test !!}', - 'c' => '{{{ $test }}}', - 'd' => 'd{{ $test }}', - 'e' => 'e{!! $test !!}', - 'f' => 'f{{{ $test }}}', + 'a' => '{{ $test }}', + 'b' => '{!! $test !!}', + 'c' => '{{{ $test }}}', + 'd' => 'd{{ $test }}', + 'e' => 'e{!! $test !!}', + 'f' => 'f{{{ $test }}}', ]); config(['xss-protection.middleware.completely_replace_malicious_input' => false]); @@ -198,11 +198,11 @@ class ExceptXssCleanInput extends XssCleanInput }); $request = Request::createFromGlobals()->merge([ - 'key' => 'test', + 'key' => 'test', 'allow' => 'test', 'nested' => [ - 'key' => 'test', + 'key' => 'test', 'allowed' => 'test', ], ]); diff --git a/tests/TestCase.php b/tests/TestCase.php index ae4a29e..1e38b11 100644 --- a/tests/TestCase.php +++ b/tests/TestCase.php @@ -13,7 +13,7 @@ protected function setUp(): void parent::setUp(); Factory::guessFactoryNamesUsing( - fn (string $modelName) => 'ProtoneMedia\\LaravelXssProtection\\Database\\Factories\\' . class_basename($modelName) . 'Factory' + fn (string $modelName) => 'ProtoneMedia\\LaravelXssProtection\\Database\\Factories\\'.class_basename($modelName).'Factory' ); } From 72d4d83368ecb941ffbf88f19cb70f78ffd82e89 Mon Sep 17 00:00:00 2001 From: Pascal Baljet Date: Thu, 14 Mar 2024 14:04:17 +0100 Subject: [PATCH 4/4] Bump --- .github/workflows/run-tests.yml | 7 ++----- README.md | 27 ++++++++++++++++++++------- 2 files changed, 22 insertions(+), 12 deletions(-) diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml index 1dcf9be..1149e1d 100644 --- a/.github/workflows/run-tests.yml +++ b/.github/workflows/run-tests.yml @@ -16,17 +16,14 @@ jobs: fail-fast: true matrix: os: [ubuntu-latest] - php: [8.3, 8.2, 8.1] - laravel: ['10.*', '11.*'] + php: [8.3, 8.2] + laravel: ["10.*", "11.*"] stability: [prefer-lowest, prefer-stable] include: - laravel: 10.* testbench: ^8.0 - laravel: 11.* testbench: ^9.0 - exclude: - - laravel: 11.* - php: 8.1 name: P${{ matrix.php }} - L${{ matrix.laravel }} - ${{ matrix.stability }} - ${{ matrix.os }} diff --git a/README.md b/README.md index 3623dd5..294d97e 100644 --- a/README.md +++ b/README.md @@ -6,8 +6,8 @@ Laravel Middleware to protect your app against Cross-site scripting (XSS). It sanitizes request input by utilising the [Laravel Security](https://github.com/GrahamCampbell/Laravel-Security) package, and it can sanatize [Blade echo statements](https://laravel.com/docs/8.x/blade#displaying-data) as well. -* PHP 8.1 and higher -* Laravel 10 +* PHP 8.2 and higher +* Laravel 10 and higher ## Sponsor this package! @@ -108,6 +108,21 @@ Event::listen(function (MaliciousInputFound $event) { }); ``` +### Additional configuration for `voku/anti-xss` + +As of version 1.6.0, you may provide additional configuration for the `voku/anti-xss` package. You may do this by filling the `middleware.anti_xss` key. This is similar to the [Laravel Security](https://github.com/GrahamCampbell/Laravel-Security) package, which this package used to rely on. + +```php +'anti_xss' => [ + 'evil' => [ + 'attributes' => ['href'], + 'tags' => ['video'], + ], + + 'replacement' => '*redacted*', +] +``` + ## Changelog Please see [CHANGELOG](CHANGELOG.md) for more information about what has changed recently. @@ -124,17 +139,15 @@ Please see [CONTRIBUTING](CONTRIBUTING.md) for details. ## Other Laravel packages -* [`Laravel Analytics Event Tracking`](https://github.com/protonemedia/laravel-analytics-event-tracking): Laravel package to easily send events to Google Analytics. * [`Laravel Blade On Demand`](https://github.com/protonemedia/laravel-blade-on-demand): Laravel package to compile Blade templates in memory. * [`Laravel Cross Eloquent Search`](https://github.com/protonemedia/laravel-cross-eloquent-search): Laravel package to search through multiple Eloquent models. * [`Laravel Eloquent Scope as Select`](https://github.com/protonemedia/laravel-eloquent-scope-as-select): Stop duplicating your Eloquent query scopes and constraints in PHP. This package lets you re-use your query scopes and constraints by adding them as a subquery. -* [`Laravel Eloquent Where Not`](https://github.com/protonemedia/laravel-eloquent-where-not): This Laravel package allows you to flip/invert an Eloquent scope, or really any query constraint. -* [`Laravel FFMpeg`](https://github.com/protonemedia/laravel-ffmpeg): This package provides integration with FFmpeg for Laravel. The storage of the files is handled by Laravel's Filesystem. -* [`Laravel Form Components`](https://github.com/protonemedia/laravel-form-components): Blade components to rapidly build forms with Tailwind CSS Custom Forms and Bootstrap 4. Supports validation, model binding, default values, translations, includes default vendor styling and fully customizable! +* [`Laravel FFMpeg`](https://github.com/protonemedia/laravel-ffmpeg): This package provides an integration with FFmpeg for Laravel. The storage of the files is handled by Laravel's Filesystem. +* [`Laravel MinIO Testing Tools`](https://github.com/protonemedia/laravel-minio-testing-tools): Run your tests against a MinIO S3 server. * [`Laravel Mixins`](https://github.com/protonemedia/laravel-mixins): A collection of Laravel goodies. * [`Laravel Paddle`](https://github.com/protonemedia/laravel-paddle): Paddle.com API integration for Laravel with support for webhooks/events. +* [`Laravel Task Runner`](https://github.com/protonemedia/laravel-task-runner): Write Shell scripts like Blade Components and run them locally or on a remote server. * [`Laravel Verify New Email`](https://github.com/protonemedia/laravel-verify-new-email): This package adds support for verifying new email addresses: when a user updates its email address, it won't replace the old one until the new one is verified. -* [`Laravel WebDAV`](https://github.com/protonemedia/laravel-webdav): WebDAV driver for Laravel's Filesystem. ## Security