PHPackages ricventu/laravel-anti-xss - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Validation & Sanitization](/categories/validation) 4. / 5. ricventu/laravel-anti-xss ActiveLibrary[Validation & Sanitization](/categories/validation) ricventu/laravel-anti-xss ========================= Laravel wrapper for voku/anti-xss — Facade, service, validation rule, middleware and Blade directive to sanitize XSS in strings. v1.0.0(1mo ago)2159↓100%[1 PRs](https://github.com/ricventu/laravel-anti-xss/pulls)MITPHPPHP ^8.3CI passing Since May 6Pushed 3w agoCompare [ Source](https://github.com/ricventu/laravel-anti-xss)[ Packagist](https://packagist.org/packages/ricventu/laravel-anti-xss)[ Docs](https://github.com/Ricventu/laravel-anti-xss)[ RSS](/packages/ricventu-laravel-anti-xss/feed)WikiDiscussions main Synced 1w ago READMEChangelog (1)Dependencies (14)Versions (3)Used By (0) Laravel Anti-XSS ================ [](#laravel-anti-xss) [![Latest Version on Packagist](https://camo.githubusercontent.com/6d9f7fd3195507488427da4b0eb5e38ebb02249c2300bce4bc0b00d3cc563875/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f72696376656e74752f6c61726176656c2d616e74692d7873732e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/ricventu/laravel-anti-xss)[![PHP Version](https://camo.githubusercontent.com/45fa439a48cc7e82e9e577a421147b6f8b00216eda4981140b94d3984bad8197/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f7068702d762f72696376656e74752f6c61726176656c2d616e74692d7873732e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/ricventu/laravel-anti-xss)[![GitHub Tests Action Status](https://camo.githubusercontent.com/4b022d543a4a15db5c22fc4fbd98f60f184baf03349971d2e1602de0362b0fdd/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f616374696f6e732f776f726b666c6f772f7374617475732f52696376656e74752f6c61726176656c2d616e74692d7873732f72756e2d74657374732e796d6c3f6272616e63683d6d61696e266c6162656c3d7465737473267374796c653d666c61742d737175617265)](https://github.com/Ricventu/laravel-anti-xss/actions?query=workflow%3Arun-tests+branch%3Amain)[![GitHub Code Style Action Status](https://camo.githubusercontent.com/6a929efa81fb862b8e51b693367161ee0969165e3c271ff6bab50e6ce9b3c49b/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f616374696f6e732f776f726b666c6f772f7374617475732f52696376656e74752f6c61726176656c2d616e74692d7873732f6669782d7068702d636f64652d7374796c652d6973737565732e796d6c3f6272616e63683d6d61696e266c6162656c3d636f64652532307374796c65267374796c653d666c61742d737175617265)](https://github.com/Ricventu/laravel-anti-xss/actions?query=workflow%3A%22Fix+PHP+code+style+issues%22+branch%3Amain)[![Total Downloads](https://camo.githubusercontent.com/31686277824c6ff6707f5dc281b2e57315c71634156cc6b800f11e4ffdaa0816/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f72696376656e74752f6c61726176656c2d616e74692d7873732e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/ricventu/laravel-anti-xss) A Laravel wrapper for [voku/anti-xss](https://github.com/voku/anti-xss) that provides everything you need to neutralize XSS payloads in user input: - a singleton `AntiXss` service, - an `AntiXss` Facade, - a Blade directive `@xss(...)`, - a `clean_xss` validation rule (and `CleanXss` rule object), - an opt-in `CleanXssInput` middleware that sanitizes request input, - a global `anti_xss()` helper. ``` use Ricventu\LaravelAntiXss\Facades\AntiXss; AntiXss::clean('alert(1)Hello'); // => 'Hello' AntiXss::clean('click'); // => 'click' AntiXss::clean(''); // => '' ``` Why this package? ----------------- [](#why-this-package) - **Laravel-native.** Facade, helper, validation rule, middleware and Blade directive — drop in and use. - **Battle-tested core.** Wraps [voku/anti-xss](https://github.com/voku/anti-xss), an actively maintained library with an extensive list of evil tags, attributes, and JS patterns. - **Strict by default, flexible when needed.** Sensible config out of the box; extend or shrink the evil tag/attribute lists per project. - **Multiple enforcement points.** Reject (validation), clean (middleware), or sanitize on demand (service / Blade) — pick what fits your threat model. Unlike `strip_tags()` it understands obfuscated payloads (`javascript:` URIs, encoded entities, dangerous attributes). Unlike a full HTML purifier (e.g. HTMLPurifier) it is lighter and Laravel-first. Requirements ------------ [](#requirements) - PHP **8.3+** - Laravel **11**, **12**, or **13** Installation ------------ [](#installation) ``` composer require ricventu/laravel-anti-xss ``` The service provider is auto-discovered. Publish the config file with: ``` php artisan vendor:publish --tag="anti-xss-config" ``` Configuration ------------- [](#configuration) The published `config/anti-xss.php`: ``` return [ 'replacement' => '', 'keep_pre_and_code_tag_content' => false, 'strip_4byte_chars' => false, 'evil_attributes' => [ 'add' => [], 'remove' => [], ], 'evil_html_tags' => [ 'add' => [], 'remove' => [], ], 'middleware' => [ 'except' => ['password', 'password_confirmation'], ], ]; ``` KeyPurpose`replacement`String used in place of stripped malicious content.`keep_pre_and_code_tag_content`Preserve content of `` and `` tags.`strip_4byte_chars`Strip 4-byte UTF-8 characters (e.g. emoji) — useful with non-`utf8mb4` databases.`evil_attributes.add` / `.remove`Extend or shrink the default list of evil attributes.`evil_html_tags.add` / `.remove`Extend or shrink the default list of evil tags.`middleware.except`Field names ignored by `CleanXssInput` middleware.Usage ----- [](#usage) ### Service / Dependency Injection [](#service--dependency-injection) ``` use Ricventu\LaravelAntiXss\AntiXss; class CommentController { public function __construct(private AntiXss $antiXss) {} public function store(Request $request) { $body = $this->antiXss->clean($request->input('body')); // ... } } ``` ### Facade [](#facade) ``` use Ricventu\LaravelAntiXss\Facades\AntiXss; $safe = AntiXss::clean($userInput); if (AntiXss::isXssFound()) { logger()->warning('XSS attempt detected.'); } ``` ### Helper [](#helper) ``` $safe = anti_xss($userInput); // sanitize directly $service = anti_xss(); // get the service $service->setReplacement('[REDACTED]'); // tweak at runtime ``` ### Validation rule [](#validation-rule) Object syntax (recommended): ``` use Ricventu\LaravelAntiXss\Rules\CleanXss; $request->validate([ 'bio' => ['required', 'string', new CleanXss], ]); ``` String syntax also works: ``` $request->validate([ 'bio' => 'required|string|clean_xss', ]); ``` The rule **rejects** input that contains XSS rather than silently mutating it. If you prefer to clean instead, use the middleware below or call `AntiXss::clean()` in your `prepareForValidation()`. ### Middleware [](#middleware) `CleanXssInput` mirrors Laravel's built-in `TrimStrings` middleware: it walks the request payload and sanitizes every string value (excluding the keys listed in `anti-xss.middleware.except`). It is **opt-in**. Register it in your application bootstrap. Laravel 11+ (`bootstrap/app.php`): ``` use Ricventu\LaravelAntiXss\Http\Middleware\CleanXssInput; ->withMiddleware(function (Middleware $middleware) { $middleware->web(append: [ CleanXssInput::class, ]); }) ``` Laravel 10 (`app/Http/Kernel.php`): ``` protected $middlewareGroups = [ 'web' => [ // ... \Ricventu\LaravelAntiXss\Http\Middleware\CleanXssInput::class, ], ]; ``` ### Blade directive [](#blade-directive) ``` @xss($comment->body) ``` `@xss($value)` is equivalent to `{{ AntiXss::clean($value) }}` — it sanitizes **and** escapes the result with `e()`. ### Advanced — direct access to the underlying engine [](#advanced--direct-access-to-the-underlying-engine) ``` AntiXss::engine() ->addNeverAllowedRegex(['/very-custom-pattern/i']) ->addNaughtyJavascriptPatterns(['my-tracker(']); ``` Testing ------- [](#testing) ``` composer test ``` Changelog --------- [](#changelog) See [CHANGELOG](CHANGELOG.md). Contributing ------------ [](#contributing) Pull requests are welcome. For larger changes, please open an issue first to discuss the direction. Run the test suite with `composer test` and the static analysis with `composer analyse` before submitting. Security -------- [](#security) If you discover a security vulnerability, please email **** instead of opening a public issue. All reports will be reviewed and addressed promptly. Credits ------- [](#credits) - Built on top of [voku/anti-xss](https://github.com/voku/anti-xss) by Lars Moelleken. - [Riccardo Venturini](https://github.com/Ricventu) - [All Contributors](../../contributors) License ------- [](#license) The MIT License (MIT). See [LICENSE.md](LICENSE.md). ### Health Score 45 — FairBetter than 91% of packages Maintenance94 Actively maintained with recent releases Popularity18 Limited adoption so far Community6 Small or concentrated contributor base Maturity49 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Unknown Total 1 Last Release 34d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/ab9a6e1dbd1cea7ad570eba962e9f4d64938b8c2f96199da62056cc60d06cb25?d=identicon)[ricventu](/maintainers/ricventu) --- Top Contributors [![ricventu](https://avatars.githubusercontent.com/u/3369838?v=4)](https://github.com/ricventu "ricventu (10 commits)") --- Tags laravelsecurityxsssanitizeanti-xssricventuvoku ### Code Quality TestsPest Static AnalysisPHPStan Code StyleLaravel Pint ### Embed Badge ![Health badge](/badges/ricventu-laravel-anti-xss/health.svg) ``` [![Health](https://phpackages.com/badges/ricventu-laravel-anti-xss/health.svg)](https://phpackages.com/packages/ricventu-laravel-anti-xss) ``` ### Alternatives [spatie/laravel-permission Permission handling for Laravel 12 and up 12.9k98.0M1.3k](/packages/spatie-laravel-permission)[spatie/laravel-health Monitor the health of a Laravel application 88011.3M149](/packages/spatie-laravel-health)[psalm/plugin-laravel Psalm plugin for Laravel 3325.1M337](/packages/psalm-plugin-laravel)[defstudio/telegraph A laravel facade to interact with Telegram Bots 815320.5k3](/packages/defstudio-telegraph)[spatie/laravel-pdf Create PDFs in Laravel apps 1.0k4.3M41](/packages/spatie-laravel-pdf)[laravel/ai The official AI SDK for Laravel. 9782.1M153](/packages/laravel-ai) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)