#XSS Blade specialcharacter

2 messages · Page 1 of 1 (latest)

frosty pike Nov 22, 2022, 10:56 AM

hello, I'm using emojis in laravel, and in the part of sending to the blade, I convert the emojis to <img>, but this can XSS, could someone who has worked with emoji help me??

I thought of using js to convert all emojis by comments but I think it wouldn't work well...

$comment->comment = LaravelEmojiOneFacade::toImage($comment->comment);
//output: "<img class="emojione" alt="&#x1f600;" title=":grinning:" src="https://cdn.jsdelivr.net/emojione/assets/4.0/png/64/1f600.png"/><button class='btn btn-primary'>Click</button>"

<p class="text-comment" style="overflow-wrap: break-word;">{!! html_entity_decode($comment['comment']) !!}</p>

untold heart Nov 22, 2022, 1:20 PM

Hello @frosty pike,

I am answering the following question: how to prevent XSS issues ?

There are no magic solutions that allows you to partially display escaped and unescaped at the same time. I you absolutely need to unescape your data, it should be filtered before displaying it or before saving in your database to ensure you have no issues.

Otherwise, you need to find another solution to show your emojies...like, converting into real emojies -> ☺️, 😂, etc. ?

Also, I am surprised you are using html_entity_decode, {!! $comment['comment'] !!} should be enough.