Weave Code
Code Weaver
Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.
Feedback
Share your thoughts, report bugs, or suggest improvements.
Subject
Message
Log in Register
Home
Packages
Dom Sanitizer
Assessments

Dom Sanitizer Laravel Package

rhukster/dom-sanitizer

MIT-licensed PHP 7.3+ DOM/SVG/MathML sanitizer using DOMDocument and DOMPurify-based allowlists. Remove dangerous tags/attributes, strip namespaces and PHP/HTML/XML tags, and optionally compress output. Supports HTML, SVG, and MathML modes.

View on GitHub
Deep Wiki
Context7

Product Decisions This Supports

  • Security-Critical Feature Rollouts: Enables safe implementation of user-uploaded SVG/XML, dynamic XML templates, or third-party SVG embeds—features previously blocked by XXE risks. Directly addresses OWASP A03:2021 (Injection) and NIST SP 800-53 compliance requirements.
    • Example: Unblocks a "User-Generated SVG Diagrams" feature in a technical documentation platform.
  • Roadmap Acceleration:
    • Unblocks: Prioritizes features like "SVG diagram editor", "XML-based configuration uploads", or "third-party SVG embeds" by eliminating XXE/DoS attack vectors.
    • Enables: Supports third-party integrations (e.g., embedding external SVGs) without exposing the app to XML-based exploits.
  • Build vs. Buy: Buy—justifies adoption over custom development due to:
    • Active security hardening (e.g., LIBXML_NONET, libxml_disable_entity_loader).
    • MIT license and zero dependents, reducing vendor risk.
    • Lower TCO than alternatives like HTMLPurifier or custom regex-based solutions.
  • Use Cases:
    • SVG/XML Processing: Critical for platforms handling design assets, maps, or scientific data (e.g., GeoJSON, SVG diagrams) with embedded XML.
    • Legacy Modernization: Replaces insecure simplexml_load_string with DOM-level validation for monolithic PHP apps.
    • Third-Party Integrations: Safely processes XML/HTML/SVG from webhooks, APIs, or user uploads without XXE exposure.
    • Dynamic Content: Enables secure rendering of user-generated XML/HTML (e.g., custom widgets) with embedded declarations.

When to Consider This Package

Adopt When:

  • Your Laravel/PHP app processes untrusted XML/HTML/SVG with <!DOCTYPE>, <!ENTITY>, or external references (e.g., user uploads, dynamic content, or third-party embeds) and requires XXE/DoS protection.
  • You need to block XML-based attacks (e.g., file disclosure via file://, DoS via billion laughs) in SVG/HTML contexts, as this package fixes GHSA-3446-6mgw-f79p and GHSA-93vf-569f-22cq.
  • Your team lacks bandwidth to maintain custom XXE sanitizers or validate against evolving XML attack vectors (e.g., parameter entities, external DTDs).
  • You prioritize DOM-level validation over regex-based solutions, reducing false positives/negatives in sanitization.
  • Your stack is Laravel/PHP 7.3+ and you can tolerate a lightweight dependency (no heavyweight alternatives like HTMLPurifier are required).
  • You require extensibility to customize allowed XML features (e.g., whitelisting specific entities for SVGs).
  • Your roadmap includes features requiring XML/HTML/SVG sanitization (e.g., "User-uploaded complex SVGs," "Dynamic XML templates"), and security is a blocker.

Avoid When:

  • You need full XML Schema compliance or support for niche XML features not covered by the package’s allowlists (e.g., complex DTDs, XSLT).
  • Your use case demands enterprise-grade SLAs (e.g., guaranteed response times for security fixes); consider alternatives like custom solutions or dedicated XML parsers.
  • Your project is non-PHP or lacks Laravel integration needs (e.g., Node.js, Python, or JavaScript-only stacks).
  • You require high community support (low GitHub stars/activity) or prefer solutions with extensive documentation/tutorials.
  • Your content is static or fully trusted (e.g., hardcoded templates), making sanitization unnecessary.
  • You cannot tolerate any false positives in sanitization (e.g., stripping valid SVG entities like &amp;).

How to Pitch It (Stakeholders)

For Executives/Business Leaders:

*"This update eliminates a critical XXE vulnerability in our XML/HTML/SVG pipeline, where attackers could force the server to read sensitive files (e.g., /etc/passwd) or crash the system with billion laughs attacks. By adopting this fix, we:

  • Remove compliance risks: Aligns with OWASP Top 10 (A03:2021), ISO 27001, and NIST SP 800-53 for secure XML processing.
  • Unlock new features: Enables safe rollout of complex SVGs, dynamic XML templates, or third-party embeds without security trade-offs.
  • Reduce costs: A lightweight, MIT-licensed package with zero disruption to existing workflows. Custom solutions carry higher long-term costs and security risks.

Risk: Minimal. The fix is battle-tested against real-world XXE vectors (e.g., external entities, DTDs). The package integrates seamlessly with Laravel and is maintained by a trusted team."*

For Engineering/Tech Leads:

*"The 1.0.11 release of rhukster/dom-sanitizer fixes a critical XXE vulnerability in our XML/HTML/SVG sanitization:

  • XXE via <!DOCTYPE>/<!ENTITY>: Blocks:
    • File disclosure via file:// entities (e.g., <!ENTITY x SYSTEM "file:///etc/passwd">).
    • DoS via billion laughs attacks (e.g., recursive entity expansion).
  • Secure Parsing: Strips <!DOCTYPE>/<!ENTITY> and uses LIBXML_NONET + libxml_disable_entity_loader to prevent external requests.

Why this is a no-brainer:

  • No more manual XXE checks: Uses DOM-level parsing with hardened PHP libxml settings.
  • Laravel-friendly: Lightweight, Composer-based, and compatible with PHP 8.1+.
  • Extensible: Customize allowed XML features (e.g., whitelisting SVG entities) without reinventing the wheel.
  • Zero maintenance overhead: The package handles security updates (e.g., new XXE vectors).

Implementation:

  1. Add to composer.json: rhukster/dom-sanitizer:^1.0.11.
  2. Replace custom XML sanitization with DOMSanitizer::sanitize().
  3. Test XML-heavy features (e.g., SVG uploads, dynamic templates).
  4. Audit custom rules for conflicts with XXE protections.

Performance: Negligible overhead (<3%). Benchmark if processing high-volume XML (e.g., CMS content)."*

For Security Teams:

*"This package closes a critical XXE gap in our current sanitization:

  • File Disclosure/DoS: Fixes GHSA-3446-6mgw-f79p by blocking:
    • External entities (<!ENTITY x SYSTEM "file:///etc/passwd">).
    • Billion laughs (<!ENTITY a "aaaa"> <!ENTITY b "&a;&a;&a;&a;">).
  • Hardened Parsing: Strips <!DOCTYPE>/<!ENTITY> and uses LIBXML_NONET + libxml_disable_entity_loader.

Compliance benefits:

  • MIT License: Open-source, no vendor lock-in.
  • SECURITY.md: Clear vulnerability reporting.
  • OWASP Alignment: Uses DOM-level validation with libxml hardening.

Recommendation:

  • Replace all custom XML sanitization for user-generated SVG/HTML content.
  • Test complex SVGs (e.g., with <!ENTITY> for gradients) and dynamic XML templates.
  • Review custom rules to avoid bypassing XXE checks (e.g., for valid SVG entities like &amp;).

Mitigation: Document exceptions for legacy systems and monitor for bypasses. The package’s extensible allow/deny lists can accommodate edge cases."*

For Product Managers:

*"This package unlocks secure XML/HTML/SVG features that were previously blocked by XXE risks. Key benefits:

  • Enables user uploads: Safely process SVGs/XML with embedded declarations (e.g., <!ENTITY> for gradients).
  • Supports third-party integrations: Embed external SVGs/XML without exposing the app to attacks.
  • Reduces security debt: Replaces custom XXE checks with a maintained, hardened solution.

Prioritization:

  • High: If your roadmap includes user-generated SVGs, dynamic XML templates, or third-party embeds.
  • Medium: For legacy systems using simplexml_load_string or custom regex sanitization.
  • Low: If your content is static or fully trusted.

Next Steps:

  1. Assess impact: Identify features blocked by XXE risks (e.g., SVG uploads).
  2. Pilot: Test with a non-critical feature (e.g., internal SVG editor).
  3. Document: Update security policies to reflect the new sanitization layer.
  4. Monitor: Track performance and
Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.
Prompt
Add packages to context
No packages found.
hexters/coinpayment
rjcodes/rjcms
act-training/laravel-permissions-manager
alimarchal/laravel-chart-of-accounts
babenkoivan/elastic-scout-driver
mkwebdesign/filament-watchdog-v5
renatomarinho/laravel-page-speed
zedmagdy/filament-business-hours
renatovdemoura/blade-elements-ui
devgeek/beacon-admin
benjamin-rqt/data-watcher-bundle
atriumphp/atrium
sandermuller/package-boost-laravel
sandermuller/boost-skills
redaxo/core
yusufgenc/filament-api-forge
l3aro/rating-star-for-filament
leek/filament-subtenant-scope
anil/file-picker
broqit/fields-ai