PHPackages                             masterro/laravel-xss-filter - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. masterro/laravel-xss-filter

ActiveLibrary[Security](/categories/security)

masterro/laravel-xss-filter
===========================

Filter user input for XSS but don't touch other html

v2.2.0(2mo ago)41254.5k—7.2%6MITPHPPHP &gt;=8.1CI failing

Since Feb 9Pushed 2mo ago2 watchersCompare

[ Source](https://github.com/MasterRO94/laravel-xss-filter)[ Packagist](https://packagist.org/packages/masterro/laravel-xss-filter)[ RSS](/packages/masterro-laravel-xss-filter/feed)WikiDiscussions master Synced 1mo ago

READMEChangelog (10)Dependencies (6)Versions (23)Used By (0)

 [![](https://raw.githubusercontent.com/laravel/art/master/logo-lockup/5%20SVG/2%20CMYK/1%20Full%20Color/laravel-logolockup-cmyk-red.svg)](https://raw.githubusercontent.com/laravel/art/master/logo-lockup/5%20SVG/2%20CMYK/1%20Full%20Color/laravel-logolockup-cmyk-red.svg)

 [ ![Latest Stable Version](https://camo.githubusercontent.com/b4f55ac9e08b520820cf4b22e71d10155e408920f661319b93bc55df7b97ecd4/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f6d6173746572726f2f6c61726176656c2d7873732d66696c7465722e7376673f7374796c653d666c61742d726f756e646564) ](https://packagist.org/packages/masterro/laravel-xss-filter) [ ![Total Downloads](https://camo.githubusercontent.com/2ee4f186184094eb7c5a529285702158ec7c033c3465a8c57de4e14bbeb5907b/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f6d6173746572726f2f6c61726176656c2d7873732d66696c7465722e7376673f7374796c653d666c61742d726f756e646564) ](https://packagist.org/packages/masterro/laravel-xss-filter) [ ![Build Status](https://github.com/MasterRO94/laravel-xss-filter/workflows/Tests/badge.svg) ](https://github.com/MasterRO94/laravel-xss-filter/actions) [ ![License](https://camo.githubusercontent.com/58aee2403fdc22cbdf2ca85451ad75c24ec35fd666ec02ad30680fbde794c34f/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6c6963656e73652f4d6173746572524f39342f6c61726176656c2d7873732d66696c746572) ](https://github.com/MasterRO94/laravel-xss-filter/blob/master/LICENSE)

 [ ![StandWithUkraine](https://raw.githubusercontent.com/vshymanskyy/StandWithUkraine/main/badges/StandWithUkraine.svg) ](https://github.com/vshymanskyy/StandWithUkraine/blob/main/docs/README.md)

XSS Filter/Sanitizer for Laravel
================================

[](#xss-filtersanitizer-for-laravel)

### Configure once and forget about XSS attacks!

[](#configure-once-and-forget-about-xss-attacks)

It does not remove the html, it is only escaped script tags and embeds.
However, by default, it does delete inline event listeners such as `onclick`. Optionally they also can be escaped (set `escape_inline_listeners` to `true` in `xss-filter.php` config file).

For example

```

    window.init()

    let Iframe = new Iframe('#iframe');

    Aawfawfaw f awf aw
    Not supported!

```

will be transformed to

```

&lt;script src=&quot;app.js&quot;&gt;&lt;/script&gt;
&lt;script&gt;window.init()&lt;/script&gt;

&lt;script&gt;
let Iframe = new Iframe(&#039;#iframe&#039;);
&lt;/script&gt;

Aawfawfaw f awf aw
&lt;iframe id=&quot;iframe&quot;&gt;Not supported!&lt;/iframe&gt;

```

This allows to render html in views based on users' input and don't be afraid of XSS attacks and embed elements.

Installation
============

[](#installation)

Step 1: Composer
----------------

[](#step-1-composer)

From command line

```
composer require masterro/laravel-xss-filter

```

Step 2: publish configs (optional)
----------------------------------

[](#step-2-publish-configs-optional)

From command line

```
php artisan vendor:publish --provider="MasterRO\LaravelXSSFilter\XSSFilterServiceProvider"

```

Step 3: Middleware
------------------

[](#step-3-middleware)

You can register `\MasterRO\LaravelXSSFilter\FilterXSS::class` for filtering in global middleware stack, group middleware stack or for specific routes.

> Have a look at [Laravel's middleware documentation](https://laravel.com/docs/middleware#registering-middleware), if you need any help.

### Livewire

[](#livewire)

If you are using Livewire you can either register global middleware to all the update livewire requests. This special middleware will clean only required part of Livewire request payload and will not touch snapshot so the component checksum still would be valid.

```
// AppServiceProvider.php

public function boot(): void
{
    Livewire::setUpdateRoute(static function ($handle) {
        return Route::post('/livewire/update', $handle)
            ->middleware(['web', FilterXSSLivewire::class]);
    });
}
```

Or you can apply middleware to specific routes and add it to persistent list to ensure inputs are cleared on subsequent component requests:

```
// AppServiceProvider.php

public function boot(): void
{
    Livewire::addPersistentMiddleware([
        FilterXSSLivewire::class,
    ]);
}
```

Note

If you have both Livewire components and traditional Controllers you can apply only `FilterXSSLivewire::class` middleware for all required routes or globally. It will fall back to base logic for non Livewire requests.

Usage
=====

[](#usage)

After adding middleware, every request will be filtered.

If you need to specify attributes that should not be filtered add them to `xss-filter.except` config. By default, filter excepts `password` and `password_confirmation` fields.

If you want to clean some value in other place (i.e. Controller) you can use `XSSCleaner` Facade.

```
$clean = XSSCleaner::clean($string);
```

#### Runtime configuration

[](#runtime-configuration)

```
XSSCleaner::config()
    ->allowElement('iframe')
    ->allowMediaHosts(['youtube.com', 'youtu.be'])
    ->denyElement('a');

$clean = XSSCleaner::clean($string);
```

#### *I will be grateful if you star this project :)*

[](#i-will-be-grateful-if-you-star-this-project-)

###  Health Score

62

—

FairBetter than 99% of packages

Maintenance88

Actively maintained with recent releases

Popularity46

Moderate usage in the ecosystem

Community13

Small or concentrated contributor base

Maturity81

Battle-tested with a long release history

 Bus Factor1

Top contributor holds 94.6% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~141 days

Recently: every ~186 days

Total

22

Last Release

60d ago

Major Versions

v0.1.1 → v1.0.02018-09-26

v1.8.0 → v2.0.02025-02-04

PHP version history (3 changes)v0.1.0PHP &gt;=7.0.9

v1.5.0PHP &gt;=7.4

v2.0.0PHP &gt;=8.1

### Community

Maintainers

![](https://www.gravatar.com/avatar/bcc2e63995db7d04997577b22426f98b9c6b4c569494c91ba552d73c4df427c2?d=identicon)[MasterRO](/maintainers/MasterRO)

---

Top Contributors

[![MasterRO94](https://avatars.githubusercontent.com/u/7365389?v=4)](https://github.com/MasterRO94 "MasterRO94 (70 commits)")[![laravel-shift](https://avatars.githubusercontent.com/u/15991828?v=4)](https://github.com/laravel-shift "laravel-shift (4 commits)")

---

Tags

laravelmiddlewarexssmiddlewarelaravelxss

###  Code Quality

TestsPest

### Embed Badge

![Health badge](/badges/masterro-laravel-xss-filter/health.svg)

```
[![Health](https://phpackages.com/badges/masterro-laravel-xss-filter/health.svg)](https://phpackages.com/packages/masterro-laravel-xss-filter)
```

###  Alternatives

[akaunting/laravel-firewall

Web Application Firewall (WAF) package for Laravel

999465.8k2](/packages/akaunting-laravel-firewall)[stevenmaguire/laravel-middleware-csp

Provides support for enforcing Content Security Policy with headers in Laravel responses.

39107.6k](/packages/stevenmaguire-laravel-middleware-csp)[frozennode/xssinput

A simple extension of the Laravel Input facade that mimics CodeIgniter's xss filtering

3965.6k](/packages/frozennode-xssinput)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)