I am using the Summernote WYSIWYG-editor (as shown below) and found that it uses HTML tags to format text.
<textarea name="body" id="editor" value="{{old('body')}}" rows="10" required></textarea>
How to protect my application from XSS attacks? I store the input as plain text, and outputting in using : {!! $body !!}.
Is it possible to filter the textarea for vulnerable input, such as: <script>alert("boom")</script>
By default, Laravel does not provide any mechanism to remove certain tags from a given input, thus you need to use a third-party package like Purifier.
As shown below, Purifier can simply be installed using Composer.
composer require mews/purifier
To customize Purifier's default settings, publish the configuration file (config/purifier.php).
php artisan vendor:publish --provider="Mews\Purifier\PurifierServiceProvider"
Now, navigate to config/purifier.php and adjust the HTML.Allowed entry as needed. Note that all tags that are not listed within this entry will be removed by the clean() method.
An exhaustive reference of configuration options can be found here.
clean("<p>Good</p> <script>alert('Bad')</script>")
Output:
<p>Good</p>
