Stephen Rees-Carter on Substack: "⚠️ Top 10 Laravel security issues I've found during audits ⚠️ #7 → Cross-Site Scripting (XSS) Those pesky unescaped blade tags {!! !!}, and Vue's v-html keep popping up in surprising places, allowing for XSS to sneak in. Often through Markdown... 😉 This was an unsurprising e…"

⚠️ Top 10 Laravel security issues I've found during audits ⚠️

#7 → Cross-Site Scripting (XSS)

Those pesky unescaped blade tags {!! !!}, and Vue's v-html keep popping up in surprising places, allowing for XSS to sneak in. Often through Markdown... 😉

This was an unsurprising entry in the top 10, but probably a lot lower than you were expecting!

I find XSS in less than half the sites I audit, usually on a single route that has been overlooked, or where formatting/markdown is supported.

More info:

Securing Laravel

In Depth: Escaping Output Safely

1 Restack

11:54 AM

∙

Apr 15, 2023