Dispatch event

Author: pascalbaljet

README.md

@@ -77,7 +77,11 @@ By default, the middleware transforms malicious input to `null`. You may configu
 
 ### Terminate request
 
-Instead of transforming malicious input, you may configure the middleware to terminate the request whenever anything malicious has been found. You may do this by setting the `middleware.terminate_request_on_malicious_input` to `true`, which will throw an HttpException with status code 403.
+Instead of transforming malicious input, you may configure the middleware to terminate the request whenever anything malicious has been found. You may do this by setting the `middleware.terminate_request_on_malicious_input` to `true`, which will throw an `HttpException` with status code 403.
+
+### Dispatch event
+
+You may configure the middleware to dispatch an event whenever malicious input has been found. Setting the `middleware.dispatch_event_on_malicious_input` to `true` will dispatch an `ProtoneMedia\LaravelXssProtection\Events\MaliciousInputFound` event with the malicious keys and full request.
 
 ## Changelog
 

config/xss-protection.php

@@ -15,5 +15,7 @@
         'completely_replace_malicious_input' => true,
 
         'terminate_request_on_malicious_input' => false,
+
+        'dispatch_event_on_malicious_input' => false,
     ],
 ];

src/Events/MaliciousInputFound.php

@@ -0,0 +1,12 @@
+<?php
+
+namespace ProtoneMedia\LaravelXssProtection\Events;
+
+use Illuminate\Http\Request;
+
+class MaliciousInputFound
+{
+    public function __construct(public array $keys, public Request $request)
+    {
+    }
+}

src/Events/Sanitized.php

@@ -0,0 +1,7 @@
+<?php
+
+namespace ProtoneMedia\LaravelXssProtection\Cleaners;
+
+class RequestSanitized
+{
+}

src/Middleware/XssCleanInput.php

@@ -6,6 +6,7 @@
 use GrahamCampbell\SecurityCore\Security;
 use Illuminate\Foundation\Http\Middleware\TransformsRequest;
 use ProtoneMedia\LaravelXssProtection\Cleaners\BladeEchoes;
+use ProtoneMedia\LaravelXssProtection\Events\MaliciousInputFound;
 use Symfony\Component\HttpFoundation\File\UploadedFile;
 
 class XssCleanInput extends TransformsRequest
@@ -40,6 +41,13 @@ class XssCleanInput extends TransformsRequest
         //
     ];
 
+    /**
+     * Array of sanitized keys.
+     *
+     * @var array
+     */
+    protected $sanitizedKeys = [];
+
     /**
      * Create a new instance.
      *
@@ -63,13 +71,29 @@ public function __construct(Security $security, BladeEchoes $bladeEchoCleaner)
      */
     public function handle($request, Closure $next)
     {
+        $this->sanitizedKeys = [];
+
         foreach (static::$skipCallbacks as $callback) {
             if ($callback($request)) {
                 return $next($request);
             }
         }
 
-        return parent::handle($request, $next);
+        $this->clean($request);
+
+        if (count($this->sanitizedKeys) === 0) {
+            return $next($request);
+        }
+
+        if ($this->enabledInConfig('dispatch_event_on_malicious_input')) {
+            event(new MaliciousInputFound($this->sanitizedKeys, $request));
+        }
+
+        if ($this->enabledInConfig('terminate_request_on_malicious_input')) {
+            abort(403, 'Malicious input found.');
+        }
+
+        return $next($request);
     }
 
     /**
@@ -90,28 +114,33 @@ protected function transform($key, $value)
         }
 
         if ($value instanceof UploadedFile) {
-            return config('xss-protection.middleware.allow_file_uploads') ? $value : null;
+            if ($this->enabledInConfig('allow_file_uploads')) {
+                return $value;
+            }
+
+            $this->sanitizedKeys[] = $key;
+
+            return null;
         }
 
         $output = $this->security->clean((string) $value);
 
-        if (!config('xss-protection.middleware.allow_blade_echoes')) {
+        if (!$this->enabledInConfig('allow_blade_echoes')) {
             $output = $this->bladeEchoCleaner->clean((string) $output);
         }
 
         if ($output === $value) {
             return $output;
         }
 
-        if (config('xss-protection.middleware.terminate_request_on_malicious_input')) {
-            abort(403, 'Malicious input found.');
-        }
+        $this->sanitizedKeys[] = $key;
 
-        if (config('xss-protection.middleware.completely_replace_malicious_input')) {
-            return null;
-        }
+        return $this->enabledInConfig('completely_replace_malicious_input') ? null : $output;
+    }
 
-        return $output;
+    private function enabledInConfig($key): bool
+    {
+        return config("xss-protection.middleware.{$key}");
     }
 
     /**

tests/MiddlewareTest.php

@@ -2,6 +2,8 @@
 
 use Illuminate\Http\Request;
 use Illuminate\Http\UploadedFile;
+use Illuminate\Support\Facades\Event;
+use ProtoneMedia\LaravelXssProtection\Events\MaliciousInputFound;
 use ProtoneMedia\LaravelXssProtection\Middleware\XssCleanInput;
 use Symfony\Component\HttpKernel\Exception\HttpException;
 
@@ -19,6 +21,24 @@
     expect($request->input('key'))->toBe('test');
 });
 
+it('can dispatch an event with the transformed keys and request', function () {
+    $request = Request::createFromGlobals()->merge([
+        'key' => 'test<script>script</script>',
+    ]);
+
+    config(['xss-protection.middleware.dispatch_event_on_malicious_input' => true]);
+
+    Event::fake();
+
+    /** @var XssCleanInput $middleware */
+    $middleware = app(XssCleanInput::class);
+    $middleware->handle($request, fn ($request) => $request);
+
+    Event::assertDispatched(function (MaliciousInputFound $event) use ($request) {
+        return $event->request === $request && $event->keys === ['key'];
+    });
+});
+
 it('can add a callback to skip a request', function () {
     class SkipXssCleanInput extends XssCleanInput
     {