As I was building this new Kuztek site I wanted to build it to the same standards I would if I were building it for any client and that means protecting the site from malicious code or security threats. I may be the only one adding content to this site or modifying what is in the database, but filtering what we are outputting to the browser to make sure it doesn’t harm the site or our users just makes sense. We don’t want to leave our sites vulnerable to Cross-Sites Scripting(XSS). This tutorial covers Laravel customization and is intended to be used by developers to improve their site security.
When using Laravel Blade templates we typically would output content doing something like this:
Hello, {{ $name }}.
The double curly brackets used in Blade indicate that the content will be escaped and any html code that would have been outputted will be removed automatically. But what if we want some html to come through from our database but not anything that would be a security risk? We searched around for some existing code to do the job because writing something from scratch could take a lot of time. Enter HTMLPurifier, a well maintained tool that cleans up code and even fixes things like missing html tags or illegal html nesting. To get HTMLPurifier into our Laravel project we used a handy package from MeWebStudio and added it to our site using composer.