Someone's trying to XSS us with img src=x onerror=prompt(1)

usually all echoed variables with laravel will be escaped, unless you explicitly wanted to echo html and js using {!! !!}

So with spark you don't have to worry

Indeed, in normal circumstances it wouldn't be an issue when you implemented everything correctly. And with this code he/she is only trying to see if there is an XSS vulnerability somewhere.

You can search through your code for occurrences of {!! to see if you use it and if you use it if it is safely implemented.

And you should of course implement something to increase the bill with 10% for each XSS attempt of a user. That will stop them of trying it ;-)

Thanks @ahmeddabak @click ! It's default functionality so should be save then - though will double check it of course.

And you should of course implement something to increase the bill with 10% for each XSS attempt of a user. That will stop them of trying it ;-)

Haha love those kind of "rewards" 😜but I think that such a user is not very likely to convert to a paying customer.

I'm considering adding a WAF but will create a separate topic for that as I'm interested to learn from others that are using it already.

Also to play it extra safe I usually run request through strip_tags.

Something like:

   public static function fixValue($rvalue)
    {
        $rvalue = empty($rvalue) && !is_numeric($rvalue) ? NULL : trim(strip_tags($rvalue));
        return $rvalue;
    }

Not saying to use a static helper like me, use a getter setter or whatever.

It removes those dangerous tags.