purify
purify copied to clipboard
stevebauman
Booleans are nullified
Hello,
I noticed after implementing this as middleware for all incoming request input that when a boolean is passed to Purify, it simply nullifies the input.
In my failing tests, this generates an error because the input passed is nullified :
'boolean_field' => false,
If I switch the above field to the following , it works :
'boolean_field' => 0,
Any ideas?
@stevebauman,
I have this integrated into a Laravel 8.x web application , here is the middleware :
<?php
namespace App\Http\Middleware;
use Closure;
use Illuminate\Http\Request;
use Stevebauman\Purify\Facades\Purify;
class XssSanitization
{
/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param \Closure(\Illuminate\Http\Request): (\Illuminate\Http\Response|\Illuminate\Http\RedirectResponse) $next
* @return \Illuminate\Http\Response|\Illuminate\Http\RedirectResponse
*/
public function handle(Request $request, Closure $next)
{
$input = $request->all();
array_walk_recursive($input, function(&$input) {
$input = Purify::clean($input);
});
$request->merge($input);
return $next($request);
}
}
And the test basically simulates a POST submission of form data and checks the database for expected results
public function test_post_submit()
{
$response = $this->actingAs($user)
->post('/controller/registration/save/first', [
'offroad' => '0',
]);
$this->assertEquals(422, $response->getStatusCode());
}
If I change the middleware to basically bypass the Purify filter if null, boolean or integer, it bypasses the problem :
$input = (is_bool($input) || is_int($input) || is_null($input) ? $input : Purify::clean($input));
Hi @stardothosting,
I wouldn't recommend filtering all request input with Purify, as the core HTMLPurifier library will manipulate it in some way that you don't expect. Purifier should only be run on input that is expected to be HTML -- not globally across all input sources such that may contain booleans, integers, decimals, files, etc.