PHPackages protonemedia/laravel-xss-protection - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Validation & Sanitization](/categories/validation) 4. / 5. protonemedia/laravel-xss-protection ActiveLibrary[Validation & Sanitization](/categories/validation) protonemedia/laravel-xss-protection =================================== Laravel XSS protection, middleware and sanitization 1.10.0(3mo ago)149590.9k↓14%9[3 issues](https://github.com/protonemedia/laravel-xss-protection/issues)[3 PRs](https://github.com/protonemedia/laravel-xss-protection/pulls)MITPHPPHP ^8.2|^8.3|^8.4|^8.5CI passing Since Feb 2Pushed 1mo ago6 watchersCompare [ Source](https://github.com/protonemedia/laravel-xss-protection)[ Packagist](https://packagist.org/packages/protonemedia/laravel-xss-protection)[ Docs](https://github.com/protonemedia/laravel-xss-protection)[ GitHub Sponsors](https://github.com/pascalbaljet)[ RSS](/packages/protonemedia-laravel-xss-protection/feed)WikiDiscussions main Synced 1mo ago READMEChangelog (10)Dependencies (10)Versions (15)Used By (0) Laravel XSS Protection Middleware ================================= [](#laravel-xss-protection-middleware) [![Latest Version on Packagist](https://camo.githubusercontent.com/1da6df94e495430150946feb38ab7c79c9a34dcbb770703285bfafabd0cb65d4/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f70726f746f6e656d656469612f6c61726176656c2d7873732d70726f74656374696f6e2e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/protonemedia/laravel-xss-protection)[![run-tests](https://github.com/protonemedia/laravel-xss-protection/actions/workflows/run-tests.yml/badge.svg)](https://github.com/protonemedia/laravel-xss-protection/actions/workflows/run-tests.yml)[![Total Downloads](https://camo.githubusercontent.com/f8844a0c690f6e6ba85de5b8dc71d4167e0a8cff6235cd11c4506adba0c898f3/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f70726f746f6e656d656469612f6c61726176656c2d7873732d70726f74656374696f6e2e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/protonemedia/laravel-xss-protection) Laravel Middleware to protect your app against Cross-site scripting (XSS). It sanitizes request input by utilising the [voku/anti-xss](https://github.com/voku/anti-xss) package, and it can sanatize [Blade echo statements](https://laravel.com/docs/8.x/blade#displaying-data) as well. This package was inspired by the [Security Core](https://github.com/GrahamCampbell/Security-Core) package. - PHP 8.2 and higher - Laravel 10 and higher PHP 8.4+ Compatibility ---------------------- [](#php-84-compatibility) This package includes a vendored version of [voku/portable-utf8](https://github.com/voku/portable-utf8) in the `vendor-lib` directory. The upstream package hasn't released a PHP 8.4 compatible version yet (the fixes are merged but not tagged), so we bundle the fixed version to avoid deprecation warnings about implicitly nullable parameters. Sponsor Us ---------- [](#sponsor-us) [![](https://camo.githubusercontent.com/b5348f68e9a1a6ff90432d75a6692be1d604b3320ce1fcabd4b1ef29668053c4/68747470733a2f2f696e657274696175692e636f6d2f76697369742d636172642e6a7067)](https://inertiaui.com/inertia-table?utm_source=github&utm_campaign=laravel-xss-protection) ❤️ We proudly support the community by developing Laravel packages and giving them away for free. If this package saves you time or if you're relying on it professionally, please consider [sponsoring the maintenance and development](https://github.com/sponsors/pascalbaljet) and check out our latest premium package: [Inertia Table](https://inertiaui.com/inertia-table?utm_source=github&utm_campaign=laravel-xss-protection). Keeping track of issues and pull requests takes time, but we're happy to help! Installation ------------ [](#installation) You can install the package via composer: ``` composer require protonemedia/laravel-xss-protection ``` You may publish the config file with: ``` php artisan vendor:publish --tag="xss-protection-config" ``` Middleware Usage ---------------- [](#middleware-usage) You may use the `ProtoneMedia\LaravelXssProtection\Middleware\XssCleanInput` middleware in the route that handles the form submission. ``` use App\Http\Controllers\CreateAccountController; use ProtoneMedia\LaravelXssProtection\Middleware\XssCleanInput; Route::post('account', CreateAccountController::class)->middleware(XssCleanInput::class); ``` If your app has a lot of forms handled by many different controllers, you could opt to register it as global middleware. ``` // inside app\Http\Kernel.php protected $middleware = [ // ... \ProtoneMedia\LaravelXssProtection\Middleware\XssCleanInput::class, ]; ``` If you register the middleware globally, you may exclude requests by using the static `skipWhen` method. You can add a callback to interact with the request: ``` XssCleanInput::skipWhen(function (Request $request) { return $request->is('admin.*'); }); ``` You can also exclude keys by using the static `skipKeyWhen` method. This also allows you to interact with the value and request. ``` XssCleanInput::skipKeyWhen(function (string $key, $value, Request $request) { return in_array($key, [ 'current_password', 'password', 'password_confirmation', ]); }); ``` Configuration ------------- [](#configuration) ### File uploads [](#file-uploads) By default, the middleware allows file uploads. However, you may disallow file uploads by changing the `middleware.allow_file_uploads` configuration key to `false`. ### Blade echo statements [](#blade-echo-statements) By default, the middleware sanitizes [Blade echo statements](https://laravel.com/docs/8.x/blade#displaying-data) like `{{ $name }}`, `{{{ $name }}}`, and `{!! $name !!}`. You may allow echo statements by changing the `middleware.allow_blade_echoes` configuration key to `true`. ### Completely replace malicious input [](#completely-replace-malicious-input) By default, the middleware transforms malicious input to `null`. You may configure the middleware to only transform the malicious part by setting the `middleware.completely_replace_malicious_input` configuration key to `false`. That way, an input string like `hey alert('laravel')` will be transformed to `hey` instead of `null`. ### Terminate request [](#terminate-request) Instead of transforming malicious input, you may configure the middleware to terminate the request whenever anything malicious has been found. You may do this by setting the `middleware.terminate_request_on_malicious_input` to `true`, which will throw an `HttpException` with status code 403. ### Dispatch event [](#dispatch-event) You may configure the middleware to dispatch an event whenever malicious input has been found. Setting the `middleware.dispatch_event_on_malicious_input` to `true` will dispatch an `ProtoneMedia\LaravelXssProtection\Events\MaliciousInputFound` event with the sanitized keys, the original request and the sanitized request. ``` use Illuminate\Support\Facades\Event; use ProtoneMedia\LaravelXssProtection\Events\MaliciousInputFound; Event::listen(function (MaliciousInputFound $event) { $event->sanitizedKeys; $event->originalRequest; $event->sanitizedRequest; }); ``` ### Additional configuration for `voku/anti-xss` [](#additional-configuration-for-vokuanti-xss) As of version 1.6.0, you may provide additional configuration for the `voku/anti-xss` package. You may do this by filling the `middleware.anti_xss` key. ``` 'anti_xss' => [ 'evil' => [ 'attributes' => ['href'], 'tags' => ['video'], ], 'replacement' => '*redacted*', ] ``` Changelog --------- [](#changelog) Please see [CHANGELOG](CHANGELOG.md) for more information about what has changed recently. Testing ------- [](#testing) ``` $ composer test ``` Contributing ------------ [](#contributing) Please see [CONTRIBUTING](CONTRIBUTING.md) for details. Other Laravel packages ---------------------- [](#other-laravel-packages) - [Inertia Modal](https://inertiaui.com/inertia-modal/docs/introduction): With Inertia Modal, you can easily open any route in a Modal or Slideover without having to change anything about your existing routes or controllers. - [`Inertia Table`](https://inertiaui.com/inertia-table?utm_source=github&utm_campaign=laravel-xss-protection): The Ultimate Table for Inertia.js with built-in Query Builder. - [`Laravel Blade On Demand`](https://github.com/protonemedia/laravel-blade-on-demand): Laravel package to compile Blade templates in memory. - [`Laravel Cross Eloquent Search`](https://github.com/protonemedia/laravel-cross-eloquent-search): Laravel package to search through multiple Eloquent models. - [`Laravel Eloquent Scope as Select`](https://github.com/protonemedia/laravel-eloquent-scope-as-select): Stop duplicating your Eloquent query scopes and constraints in PHP. This package lets you re-use your query scopes and constraints by adding them as a subquery. - [`Laravel FFMpeg`](https://github.com/protonemedia/laravel-ffmpeg): This package provides an integration with FFmpeg for Laravel. The storage of the files is handled by Laravel's Filesystem. - [`Laravel MinIO Testing Tools`](https://github.com/protonemedia/laravel-minio-testing-tools): Run your tests against a MinIO S3 server. - [`Laravel Mixins`](https://github.com/protonemedia/laravel-mixins): A collection of Laravel goodies. - [`Laravel Paddle`](https://github.com/protonemedia/laravel-paddle): Paddle.com API integration for Laravel with support for webhooks/events. - [`Laravel Task Runner`](https://github.com/protonemedia/laravel-task-runner): Write Shell scripts like Blade Components and run them locally or on a remote server. - [`Laravel Verify New Email`](https://github.com/protonemedia/laravel-verify-new-email): This package adds support for verifying new email addresses: when a user updates its email address, it won't replace the old one until the new one is verified. Security -------- [](#security) If you discover any security-related issues, please email instead of using the issue tracker. Please do not email any questions, open an issue if you have a question. Credits ------- [](#credits) - [Pascal Baljet](https://github.com/pascalbaljet) - [All Contributors](../../contributors) License ------- [](#license) The MIT License (MIT). Please see [License File](LICENSE.md) for more information. Treeware -------- [](#treeware) This package is [Treeware](https://treeware.earth). If you use it in production, then we ask that you [**buy the world a tree**](https://plant.treeware.earth/pascalbaljetmedia/laravel-analytics-event-tracking) to thank us for our work. By contributing to the Treeware forest you’ll be creating employment for local families and restoring wildlife habitats. ### Health Score 62 — FairBetter than 99% of packages Maintenance84 Actively maintained with recent releases Popularity53 Moderate usage in the ecosystem Community16 Small or concentrated contributor base Maturity74 Established project with proven stability Bus Factor1 Top contributor holds 87.9% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~131 days Recently: every ~168 days Total 12 Last Release 119d ago PHP version history (7 changes)1.0.0PHP ^8.0|^8.1 1.3.0PHP ^8.0|^8.1|^8.2 1.4.0PHP ^8.1|^8.2 1.5.0PHP ^8.1|^8.2|^8.3 1.6.0PHP ^8.2|^8.3 1.7.0PHP ^8.2|^8.3|^8.4 1.10.0PHP ^8.2|^8.3|^8.4|^8.5 ### Community Maintainers ![](https://avatars.githubusercontent.com/u/8403149?v=4)[Pascal Baljet](/maintainers/pascalbaljet)[@pascalbaljet](https://github.com/pascalbaljet) --- Top Contributors [![pascalbaljet](https://avatars.githubusercontent.com/u/8403149?v=4)](https://github.com/pascalbaljet "pascalbaljet (51 commits)")[![laravel-shift](https://avatars.githubusercontent.com/u/15991828?v=4)](https://github.com/laravel-shift "laravel-shift (6 commits)")[![amirsadeghi1](https://avatars.githubusercontent.com/u/26359326?v=4)](https://github.com/amirsadeghi1 "amirsadeghi1 (1 commits)") --- Tags laravellaravel-packagelaravel-securityxssxss-detectionlaravelprotonemedialaravel-xss-protection ### Code Quality TestsPest Code StyleLaravel Pint ### Embed Badge ![Health badge](/badges/protonemedia-laravel-xss-protection/health.svg) ``` [![Health](https://phpackages.com/badges/protonemedia-laravel-xss-protection/health.svg)](https://phpackages.com/packages/protonemedia-laravel-xss-protection) ``` ### Alternatives [proengsoft/laravel-jsvalidation Validate forms transparently with Javascript reusing your Laravel Validation Rules, Messages, and FormRequest 1.1k2.3M49](/packages/proengsoft-laravel-jsvalidation)[stevebauman/purify An HTML Purifier / Sanitizer for Laravel 5325.6M19](/packages/stevebauman-purify)[axlon/laravel-postal-code-validation Worldwide postal code validation for Laravel and Lumen 3853.3M1](/packages/axlon-laravel-postal-code-validation)[vormkracht10/laravel-mails Laravel Mails can collect everything you might want to track about the mails that has been sent by your Laravel app. 24149.7k](/packages/vormkracht10-laravel-mails)[ziming/laravel-zxcvbn Zxcvbn Password validation rule for Laravel 3056.7k](/packages/ziming-laravel-zxcvbn)[laravel-validation-rules/phone Validate that a phone number is in the correct format 69355.5k](/packages/laravel-validation-rules-phone) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)