Allow {!! route/url() !!} raw output as safe
URL helper functions (route, url, asset, secure_url, secure_asset,
action, mix, vite) return URL strings, not HTML. Using {!! !!} with
these is safe and often necessary to avoid & being encoded as &
Added these to the safe patterns in isSafeBladeRawOutput().
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
@@ -484,6 +484,15 @@ class XssRule extends BaseRule
|
|||||||
'/\bcsrf_token\s*\(/', // CSRF token helper
|
'/\bcsrf_token\s*\(/', // CSRF token helper
|
||||||
'/\btrans\s*\(/', // Laravel translation (usually safe)
|
'/\btrans\s*\(/', // Laravel translation (usually safe)
|
||||||
'/\b__\s*\(/', // Laravel translation helper
|
'/\b__\s*\(/', // Laravel translation helper
|
||||||
|
// URL helpers - generate URLs, not HTML, so safe for raw output
|
||||||
|
'/^\s*route\s*\(/', // route() helper
|
||||||
|
'/^\s*url\s*\(/', // url() helper
|
||||||
|
'/^\s*asset\s*\(/', // asset() helper
|
||||||
|
'/^\s*secure_url\s*\(/', // secure_url() helper
|
||||||
|
'/^\s*secure_asset\s*\(/', // secure_asset() helper
|
||||||
|
'/^\s*action\s*\(/', // action() helper
|
||||||
|
'/^\s*mix\s*\(/', // mix() helper (Laravel Mix)
|
||||||
|
'/^\s*vite\s*\(/', // vite() helper (Vite)
|
||||||
];
|
];
|
||||||
|
|
||||||
foreach ($safePatterns as $pattern) {
|
foreach ($safePatterns as $pattern) {
|
||||||
|
|||||||
Reference in New Issue
Block a user