Home

Awesome

Clean your rich text from XSS threats

Latest Version on Packagist pest phpstan

<!-- [![Total Downloads](https://img.shields.io/packagist/dt/medilies/xssless.svg?style=flat-square)](https://packagist.org/packages/medilies/xssless) -->

workflow

Why use Xssless

<!-- - [TODO] You want a fluent and an intuitive way to build policies. -->

The default driver aligns with OWASP recommendations:

... OWASP recommends DOMPurify for HTML Sanitization.

Requirements

Installation

Install the package via composer:

composer require medilies/xssless

For non Laravel projects, pick a config and run the following code:

$config = new Medilies\Xssless\Dompurify\DompurifyCliConfig('node', 'npm');

(new Medilies\Xssless\Xssless)
    ->using($config)
    ->setup();

For Laravel projects, run the following command:

php artisan xssless:setup
<!-- > [!IMPORTANT] > You may need to re-run the setup when switching drivers. -->

Usage

Using Medilies\Xssless\Dompurify\DompurifyCliConfig:

(new Medilies\Xssless\Xssless)
    ->using(new Medilies\Xssless\Dompurify\DompurifyCliConfig)
    ->clean($html);

Using Medilies\Xssless\Dompurify\DompurifyServiceConfig:

$config = new Medilies\Xssless\Dompurify\DompurifyServiceConfig(
    host: '127.0.0.1', 
    port: 63000
);

$xssless = (new Medilies\Xssless\Xssless)
    ->using($config);

/**
 * It is better to have this part in a separate script
 * that runs continuously and independently from your app 
 */
$xssless->start();

$xssless->clean($html);

Laravel usage

You can publish the config file with:

php artisan vendor:publish --tag="xssless-config"

This is the contents of the published config file:

return [
    'default' => 'dompurify-cli',

    'drivers' => [
        'dompurify-cli' => new DompurifyCliConfig(
            node: env('NODE_PATH', 'node'), // @phpstan-ignore argument.type
            npm: env('NPM_PATH', 'npm'), // @phpstan-ignore argument.type
            binary: null,
            tempFolder: null,
        ),
        
        'dompurify-service' => new DompurifyServiceConfig(
            node: env('NODE_PATH', 'node'), // @phpstan-ignore argument.type
            npm: env('NPM_PATH', 'npm'), // @phpstan-ignore argument.type
            host: '127.0.0.1',
            port: 63000,
            binary: null,
        ),
    ],
];

Run the following command (Not required by all drivers):

php artisan xssless:start

Use the facade:

Medilies\Xssless\Laravel\Facades\Xssless::clean($html);

Changelog

Please see CHANGELOG for more information on what has changed recently.

Contributing

Please see CONTRIBUTING for details.

Security Vulnerabilities

Please review our security policy on how to report security vulnerabilities.

Credits

License

The MIT License (MIT). Please see License File for more information.