php - How and where can XSS protection be applied in Laravel?

Question

I wonder how (if anyhow) is XSS protection provided in Laravel. I couldn't find anything about it in the documentation.

Problem

I am using Eloquent's create() method to insert data into database ($fillable/$guarded properties are set in the models). As it turns out, I can freely put something like this in any form's text input:

<script>alert('Hacking Sony in 3...2...')</script>

and the value will be inserted in the database. Then, when echoing it - the alert is shown.

Possible solutions

Now, Laravel is a really nice framework, so I would assume there must be something to prevent XSS out of the box. However, I can't find out what that is.

If I'm wrong, what is the optimal way to handle the issue?

• Do I use fancy regex validation to disallow specific characters?
• Do I use mysql_real_escape_string() on every Input::get() I use?
• Do I strip_tags()?

View-level escaping is not enough

I know I can use Blade's triple curly brackets to escape strings in the views, that's not the point, though. Makes much more sense to me not to let those sneaky bastards into the database in the first place.

Anyone faced this problem already?

Answer 1

Makes much more sense to me not to let those sneaky bastards into the database in the first place.

Actually - that is not true.

The reason that XSS is only handled by blade is that XSS attacks are an output problem. There is no security risk if you store <script>alert('Hacking Sony in 3...2...')</script> in your database - it is just text - it doesnt mean anything.

But in the context of HTML output - then the text has a meaning, and therefore that is where the filtering should occur.

Also - it is possible that XSS attack could be a reflected attack, where the displayed data is not coming from the database, but from another source. i.e. an uploaded file, url etc. If you fail to filter all the various input locations - you run a risk of missing something.

Laravel encourages you to escape all output, regardless where it came from. You should only explicitly display non-filtered data due to a specific reason - and only if you are sure the data is from a trusted source (i.e. from your own code, never from user input).

p.s. In Laravel 5 the default {{ }} will escape all output - which highlights the importance of this.

Edit: here is a good discussion with further points on why you should filter output, not input: html/XSS escape on input vs output