Add allowed attributes and tags config option

Adds an 'allowed' key to the anti_xss config that calls
removeEvilAttributes() and removeEvilHtmlTags() on the AntiXSS
instance, allowing users to whitelist specific attributes (e.g.
'style') or tags without overriding the middleware.

Fixes #13

Author: realpascalbotjet

README.md

@@ -120,9 +120,16 @@ As of version 1.6.0, you may provide additional configuration for the `voku/anti
     ],
 
     'replacement' => '*redacted*',
+
+    'allowed' => [
+        'attributes' => ['style'],
+        'tags' => ['iframe'],
+    ],
 ]
 ```
 
+The `evil` key adds *additional* attributes and tags to the evil list. The `allowed` key does the opposite — it removes attributes and tags from the default evil list, allowing them through the sanitizer. For example, if you need to allow `style` attributes or `iframe` tags in your content, add them to the `allowed` arrays.
+
 ## Changelog
 
 Please see [CHANGELOG](CHANGELOG.md) for more information about what has changed recently.

config/xss-protection.php

@@ -28,5 +28,10 @@
         ],
 
         'replacement' => null,
+
+        'allowed' => [
+            'attributes' => null,
+            'tags' => null,
+        ],
     ],
 ];

src/ServiceProvider.php

@@ -45,6 +45,18 @@ public function packageBooted()
                     }
                 }
 
+                $allowed = config('xss-protection.anti_xss.allowed');
+
+                if ($allowed !== null) {
+                    if (! empty($allowed['attributes'])) {
+                        $antiXss->removeEvilAttributes($allowed['attributes']);
+                    }
+
+                    if (! empty($allowed['tags'])) {
+                        $antiXss->removeEvilHtmlTags($allowed['tags']);
+                    }
+                }
+
                 return $antiXss;
             });
     }

tests/MiddlewareTest.php

@@ -217,3 +217,17 @@ class ExceptXssCleanInput extends XssCleanInput
     expect($request->input('allow'))->toBe('test<script>script</script>');
     expect($request->input('nested.allowed'))->toBe('test<script>script</script>');
 });
+
+it('can allow inline style attributes via config', function () {
+    $request = Request::createFromGlobals()->merge([
+        'key' => '<div style="color: red">Hello</div>',
+    ]);
+
+    config(['xss-protection.anti_xss.allowed.attributes' => ['style']]);
+
+    /** @var XssCleanInput $middleware */
+    $middleware = app(XssCleanInput::class);
+    $middleware->handle($request, fn ($request) => $request);
+
+    expect($request->input('key'))->toBe('<div style="color: red">Hello</div>');
+});