You can use App::beforeevent to filter all of your inputs like this

您可以使用App::before事件来过滤所有这样的输入

App::before(function($request)
{
    Input::merge(array_strip_tags(Input::all()));
}

The array_strip_tagsfunction is given below, I've put it in a helper file to call it directly, you may use it as a helper function or as a library but it's easy to use it as a helper function, just create a helper file inside app/start/folder and give it a name, for example custom_helper.phpand include it inside global.phpfile like this

该array_strip_tags函数如下，我已经把它放在一个辅助文件来直接调用它，你可以使用它作为一个辅助函数或作为一个库，但它很容易使用它作为一个辅助功能，只是里面创建一个辅助文件app/start/夹并给它一个名字，例如custom_helper.php并将它包含在这样的global.php文件中

require '/custom_helpers.php';

Function array_strip_tags

功能 array_strip_tags

function array_strip_tags($array)
{
    $result = array();
    foreach ($array as $key => $value) {
        $key = strip_tags($key);
        if (is_array($value)) {
            $result[$key] = array_strip_tags($value);
        }
        else {
            $result[$key] = strip_tags($value);
        }
    }
    return $result;
}

This is copied from an working project of mine.

这是从我的一个工作项目中复制的。

In laravel templates, any data that comes form user input should be enclosed in three curly braces to sanitize it:

在 Laravel 模板中，任何来自用户输入的数据都应该用三个花括号括起来以进行清理：

<h1>{{{ $input }}}</h1>

There's no native xss clean function in Laravel, but if you're desparate for one there is a port of the codeigniter security library available here:

Laravel 中没有原生的 xss clean 功能，但是如果您对一个功能感到绝望，这里有一个 codeigniter 安全库的端口可用：

http://packalyst.com/packages/package/gvlatko/laravel-xss

http://packalyst.com/packages/package/gvlatko/laravel-xss

Here is how I solved this. Inspired on @the-alpha's solution. I'm using Laravel 4.2.

这是我解决这个问题的方法。灵感来自@the-alpha 的解决方案。我正在使用 Laravel 4.2。

app/start/global.php:

app/start/global.php：

function array_strip_tags($array)
{
    $result = array();
    foreach ($array as $key => $value) {
        $key = strip_tags($key);
        if (is_array($value)) {
            $result[$key] = array_strip_tags($value);
        }
        else {
            $result[$key] = strip_tags($value);
        }
    }
    return $result;
}

app/filters.php:

app/filters.php：

Route::filter('strip_tags', function()
{
    Input::merge(array_strip_tags(Input::all()));
});

app/routes.php:

app/routes.php：

Route::group(array('before' => 'strip_tags'), function(){
    // all routes under this route group will get all their inputs passed through the strip_tags php's function
    Route::any('/', ['as' => 'home', 'uses' => 'PageController@anyHome']);
    Route::any('/some-page', ['as' => 'some-page', 'uses' => 'PageController@anySomePage']);
}

Create a new Helper file and put these two methods in you helper.

创建一个新的 Helper 文件并将这两个方法放入您的 helper.conf 文件中。

public static function globalXssClean()
{
    // Recursive cleaning for array [] inputs, not just strings.
    $sanitized = static::arrayStripTags(Input::get());
    Input::merge($sanitized);
}

public static function arrayStripTags($array)
{
    $result = array();

    foreach ($array as $key => $value) {
        // Don't allow tags on key either, maybe useful for dynamic forms.
        $key = strip_tags($key);

        // If the value is an array, we will just recurse back into the
        // function to keep stripping the tags out of the array,
        // otherwise we will set the stripped value.
        if (is_array($value)) {
            $result[$key] = static::arrayStripTags($value);
        } else {
            // I am using strip_tags(), you may use htmlentities(),
            // also I am doing trim() here, you may remove it, if you wish.
            $result[$key] = trim(strip_tags($value));
        }
    }

    return $result;
}

Then put this code in the beginning of your before filter (in Laravel 4 it should be in app/filters.php).

然后将此代码放在你的 before 过滤器的开头（在 Laravel 4 中它应该在 app/filters.php 中）。

App::before(function($request)
{
    Helper::globalXssClean();
});

I examined the Laravel's protection {{{...}}}against xss attack. It just uses the htmlentities()function in the way like this: htmlentities('javascript:alert("xss")', ENT_QUOTES, 'UTF-8', false);This protects you against xss only if you use it properly means dont use it in certain HTML tags because it will result in XSS attack possibility. For example:

我检查了 Laravel{{{...}}}对 xss 攻击的保护。它只htmlentities()是以这样的方式使用该功能：htmlentities('javascript:alert("xss")', ENT_QUOTES, 'UTF-8', false);只有正确使用它才能保护您免受 xss 的侵害，这意味着不要在某些 HTML 标签中使用它，因为它会导致 XSS 攻击的可能性。例如：

$a = htmlentities('javascript:alert("xss")', ENT_QUOTES, 'UTF-8', false); 
echo '<a href="'.$a.'">link</a>';

In this case, your code is vulnerable to xss.

在这种情况下，您的代码容易受到 xss 的攻击。

I believe Laravel doesn't, unfortunately, have a built-in XSS Filter. However, there's a package you can try laravel-xssand it's easy to use, you just need to do something like: $user->about = Xss::clean(Input::get('about');and you're set to go!

不幸的是，我相信 Laravel 没有内置的 XSS 过滤器。然而，有一个包你可以尝试laravel-xss并且它很容易使用，你只需要做一些类似的事情：$user->about = Xss::clean(Input::get('about');你就可以开始了！

There is also another package for XSS filter for laravel which can be downloaded here

还有另一个用于 Laravel 的 XSS 过滤器的包，可以在这里下载

Usage Example:

用法示例：

Simple form code snippet

简单的表单代码片段

{{Form::open(['route' => 'posts.store'])}}
{{Form::text('title')}}
{{Form::textarea('body')}}
{{Form::submit('Post')}}
{{Form::close()}}

Filter package usage

过滤包使用

$rules = ['title' => 'required|min:13', 'body' => 'required|min:150'];
$validator = Validator(Input::all(), $rules);

if($validator->passes()){
  $xss = new XSS;
  $xss->clean(Input::all());
  $input = $xss->get();

  $post = new Post;
  $post->title = $input->title;
  $post->body = $input->body;

  // to test the results you can dd($input); & happy coding everyone!
}