In this article we will walk through how to implement middleware for XSS protection in Laravel 8. We will use middleware for web security to protect from XSS attack. We will remove HTML tags from filter user input value so they can not exploit you website through XSS. Input sanitization is a security protocol for inspecting, filtering, and sanitizing data input from app users. You can apply this function in Laravel 6, Laravel 7, Laravel 8, and Laravel 9 the different is in Route.php where you have to define in own different version.
Cross-site scripting (XSS) is a type of web security issue that attacker insert malicious script into a website. This is usually happen in form of browser which not sanitizing HTML tag from the user. The attacker send malicious script to everyone who visited the infected website. The other end user’s browser has no way to know that the script should not be trusted, and will execute the script.
Today I will show you how to protect and implement in Laravel project, so that you will help your visitor as well as your website from XSS attack in Laravel.
Firstly, we install Laravel so you have to connect to internet and installed via composer. We don't need to store data in database so you may not required configure database connection in this step.
Launch command prompt (cmd), and run command as below
composer create-project laravel/laravel blog
Now we will create new custom middleware with running command below, so open your terminal and run the command in root Laravel project
php artisan make:middleware XSS
The file will generated automatically, so next we will implement some code to filter out the XSS DOM.
Open file app -> Http -> Middleware -> XSS.php
<?php
namespace App\Http\Middleware;
use Closure;
use Illuminate\Http\Request;
class XSS
{
/**
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @return mixed
*/
public function handle(Request $request, Closure $next)
{
$input = $request->all();
array_walk_recursive($input, function($input) {
$input = strip_tags($input);
});
$request->merge($input);
return $next;
}
}
Then now we will register the middleware in kernel.php.
Open file app -> Http -> Kernel.php
<?php
namespace App\Http;
use Illuminate\Foundation\Http\Kernel as HttpKernel;
class Kernel extends HttpKernel
{
....
/**
* The application's route middleware.
*
* These middleware may be assigned to groups or used individually.
*
* @var array
*/
protected $routeMiddleware = [
....
'XSS' => \App\Http\Middleware\XSS::class,
];
}
This step is final step which to add middleware to the route which want to filter out the HTML tags. For example, I have a blog and allow user to comment below article so I will filter out HTML tags when they view the comment and add new comment. Example below suppose I have create a controller file CommentController.php which can do the function as described.
Open file routes -> web.php
<?php
use Illuminate\Support\Facades\Route;
use App\Http\Middleware\XSS;
use App\Http\Controllers\CommentController;
Route::middleware(['XSS'])->group(function()
{
Route::get('comment', [CommentController::class,'index']);
Route::post('comment', [CommentController::class,'store'])->name('comment.save');
});
Thanks for read my article, hope it would guide you and help your project. Have a nice day!
You might also like...
Founder of CamboTutorial.com, I am happy to share my knowledge related to programming that can help other people. I love write tutorial related to PHP, Laravel, Python, Java, Android Developement, all published post are make simple and easy to understand for beginner. Follow him