Security Tip: Be Intentional with Your Outputs!

Cross-Site Scripting (XSS) may be one of the most well-known web vulnerabilities, and for good reason. It manages to sneak in everywhere, and there are so many different forms and methods for bypassing controls. If you're doing anything complicated with user inputs and formatting output, you've got the potential for XSS somewhere in your code.

To get around this, we talk about escaping and sanitising, and these come in various forms, but I think we can reduce down all of it into something I repeated far too many times on stage at Laracon AU:

Be intentional with your outputs!

Any time you're using User Input, don't just blindly output it on the page and move on, but intentionally consider:

1. Where the data came from?
2. What format did you received it in?
3. What processing have you done to it?
4. Do you know the security implications of the tools you're using?
5. Where are you displaying it?
6. Can you escape it?
7. If you can't escape it, have you sanitised it?

If you're thinking about all of these aspects, you're far more likely to notice the potential for XSS to sneak it's way in somewhere, and you'll be more aware of areas in your logic that need improvements. You may also end up with cleaner code!

If you found this security tip useful, subscribe to get weekly Security Tips straight to your inbox. Upgrade to a premium subscription for exclusive monthly In Depth articles, or drop a coin in the tip jar to show your support.

Looking for a Laravel Security Audit / Penetration Test, or a budget-friendly Security Review? Feel free to reach out! You can also connect with me on Bluesky, or other socials. And don’t miss Practical Laravel Security, my interactive course designed to boost your Laravel security skills.