How to Protect XSS using Middleware In Laravel 8 Laravel 9

In this article we will walk through how to implement middleware for XSS protection in Laravel 8. We will use middleware for web security to protect from XSS attack. We will remove HTML tags from filter user input value so they can not exploit you website through XSS. Input sanitization is a security protocol for inspecting, filtering, and sanitizing data input from app users. You can apply this function in Laravel 6, Laravel 7, Laravel 8, and Laravel 9 the different is in Route.php where you have to define in own different version.

What is XSS?

Cross-site scripting (XSS) is a type of web security issue that attacker insert malicious script into a website. This is usually happen in form of browser which not sanitizing HTML tag from the user. The attacker send malicious script to everyone who visited the infected website. The other end user’s browser has no way to know that the script should not be trusted, and will execute the script.

Today I will show you how to protect and implement in Laravel project, so that you will help your visitor as well as your website from XSS attack in Laravel.

Middleware for XSS Protection in Laravel

• Step 1 - Install Laravel
• Step 2 - Create Middleware
• Step 3 - Register Middleware
• Step 4 - Apply Middleware in Route

Step 1 - Install Laravel

Firstly, we install Laravel so you have to connect to internet and installed via composer. We don't need to store data in database so you may not required configure database connection in this step.

Launch command prompt (cmd), and run command as below

composer create-project laravel/laravel blog

Step 2 - Create Middleware

Now we will create new custom middleware with running command below, so open your terminal and run the command in root Laravel project

php artisan make:middleware XSS

The file will generated automatically, so next we will implement some code to filter out the XSS DOM.

Open file app -> Http -> Middleware -> XSS.php

<?php

namespace App\Http\Middleware;

use Closure;
use Illuminate\Http\Request;
class XSS
{
    /**
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return mixed
     */
    public function handle(Request $request, Closure $next)
    {
        $input = $request->all();
        array_walk_recursive($input, function($input) {
            $input = strip_tags($input);
        });
        $request->merge($input);
        return $next;
    }
}

Step 3 - Register Middleware

Then now we will register the middleware in kernel.php.

Open file app -> Http -> Kernel.php

<?php

namespace App\Http;
use Illuminate\Foundation\Http\Kernel as HttpKernel;

class Kernel extends HttpKernel
{
    ....
    /**
     * The application's route middleware.
     *
     * These middleware may be assigned to groups or used individually.
     *
     * @var array
     */
    protected $routeMiddleware = [
        ....
        'XSS' => \App\Http\Middleware\XSS::class,
    ];
}

Step 4 - Apply Middleware in Route

This step is final step which to add middleware to the route which want to filter out the HTML tags. For example, I have a blog and allow user to comment below article so I will filter out HTML tags when they view the comment and add new comment. Example below suppose I have create a controller file CommentController.php which can do the function as described.

Open file routes -> web.php

<?php

use Illuminate\Support\Facades\Route;
use App\Http\Middleware\XSS;
use App\Http\Controllers\CommentController;

Route::middleware(['XSS'])->group(function()
{
    Route::get('comment', [CommentController::class,'index']);
    Route::post('comment', [CommentController::class,'store'])->name('comment.save');
});

Thanks for read my article, hope it would guide you and help your project. Have a nice day!

You might also like...

• Laravel Ajax GET Data Request Example Tutorial

• How to Upload Multiple Attachment Files in PHP

• Laravel Force User Setup Strong Password

• Laravel Create Custom Artisan Command

• Autocomplete Search Ajax Typeahead from Database in Laravel