Composer
首页 包列表 提交包 常见问题 关于

承接 laravelgems/blade-escape 相关项目开发

从需求分析到上线部署,全程专人跟进,保证项目质量与交付效率

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

laravelgems/blade-escape

最新稳定版本:1.0.0

Composer 安装命令:

composer require laravelgems/blade-escape

包简介

Custom blade directives to figth against XSS

README 文档

README

Blade Escape is a service provider that extends Blade directives and allows use Laragems\Escape library.

<div style="background-color: @css($color);">
    <label>@text($label)</label>
    <input type="text" name="custom" value="@attr($value)"/>
</div>
<a href="/profile?u=@param($username)">Profile</a>
<button onclick="callMyFunction('@js($username)');">Validate</button>
<script>
    var username = "@js($username)";
</script>

Installation

composer require laravelgems/blade-escape

After that add service provider to a config\app.php

        /*
         * Package Service Providers...
         */
         ...
         LaravelGems\BladeEscape\Providers\BladeEscapeServiceProvider::class,
         ...

HTML - @text($variable), safe

<p>@text($resume)</p>
<div>@text($bio)</div>

HTML Attribute - @attr(@variable), safe when following rules

Attribute's value should be quoted. For usage with whitelist attributes: align, alink, alt, bgcolor, border, cellpadding, cellspacing, class, color, cols, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight, marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan, scrolling, shape, span, summary, tabindex, title, usemap, valign, value, vlink, vspace, width

<input type="text" value="@attr($variable)"/>
<img src="image.png" alt="@attr($variable)"/>

URL Parameter - @param($variable), safe

<a href="search?keyword=@param($variable)">Click Me</a>

Javascript Parameter - @js($variable), safe when following rules

Value should be quoted. Avoid using dangerous functions (eval and so on), example - setTimeout("@js($variable)") (can be hacked!)

<script>
    var username = "@js($variable)";
</script>
<a href="#" onclick="displayDialog('@js($title)');">Click</a>

CSS - @css($variable), safe when following rules

Surrounded by quotes. Avoid complex properties like url, behavior and custom (-moz-binding). Do not put untrusted data into IE's expression property value

<style>
    .article { background-color: '@css($color)';}
</style>
<span style="width: '@css($width)';"></span>

Must Read: QWASP - XSS Prevention Cheat Sheet

You don't like the names of directives. Ok, just change them in a published config.

统计信息

  • 总下载量: 12.22k
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 12
  • 点击次数: 0
  • 依赖项目数: 0
  • 推荐数: 0

GitHub 信息

  • Stars: 12
  • Watchers: 3
  • Forks: 4
  • 开发语言: PHP
访问仓库

其他信息

  • 授权协议: MIT
  • 更新时间: 2016-12-25