Laravel Security In Depth

Share this post

Laravel Security In Depth: Escaping Output Safely

larasec.substack.com

Laravel Security In Depth: Escaping Output Safely

[InDepth#3] Let's dive into Escaping Output Safely in your Laravel Apps.

Stephen Rees-Carter
Nov 16, 2021
2
Share this post

Laravel Security In Depth: Escaping Output Safely

larasec.substack.com

Following on from last week’s Validating User Input security tip, we’re looking at Escaping Output Safely this week. This is our third In Depth email, and like my last In Depth about SQL Injection, I’ve set up a demo site with some challenges for you to explore XSS further. So check that out and have some fun! 😁

As always, let me know if you’ve got any questions or suggestions for topics. Enjoy!


Escaping Output Safely

I said this a few times in the last email, but it’s worth repeating here:

Don’t trust user input. Don’t trust user input. Don’t trust user input.

But why?

Users can be crafty and sneaky1, and if they have malicious intent, they can come up with all sorts of creative and unusual ways to subvert the behaviour of your applications intentionally. Our job as developers is to build a system that prevents these sneaky users from doing things that we don’t want them to do, while still allowing them to do everything we do want them to do.

What is Cross-Site Scripting?

A common trick that sneaky users (i.e. hackers) love to do is inject their own javascript into websites, and then trick other users into executing that javascript. Because, as an attacker, if you can get your javascript running in a victim’s browser, it gives you full control of their browser. This is known as Cross-Site Scripting, or XSS, and it is usually the result of not escaping user output safely.

Cross-Site Scripting (XSS) comes in two flavours: Stored and Reflected. They both have the same result - the attacker injects javascript into the page through unescaped output - but they differ in how the javascript gets onto the page and where it is stored.

Let’s take a look at both:

Keep reading with a 7-day free trial

Subscribe to Laravel Security In Depth to keep reading this post and get 7 days of free access to the full post archives.

Already a paid subscriber? Sign in
Previous
Next
© 2023 Stephen Rees-Carter
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing