To prevent some XSS attack, I’d like to add a middleware to my routes.php file in the plugin to clean up any potential malicious url such as http://yourapp.dev//combine/a<img%20src%3da%20onerror%3dalert(1)>
I cant find a way to add a middleware for every cms routes, maybe this is the wrong way to do this?
To add to this:
in OctoberCMS V3 you also have the app directory with a Provider.php file, which I think is a great place for site/installation-wide modifications.
In your case, I’d go for pushing the middleware directly into the kernel in Provider.php, as I’m not sure the CMSController would be hit for a route as /combine.
I’m not a 100% sure about the request life cycle though, but I think the main difference is that by extending the CMS or BackendController you can choose for which part you want the middleware to apply, while the kernel middlewares get hit for every request.
Adding some more here. The backend.middleware_group and cms.middleware_group configuration files allow you to change the default middleware group for all relevant routes.
/*
|--------------------------------------------------------------------------
| Middleware Group
|--------------------------------------------------------------------------
|
| The name of the middleware group to apply to all CMS application routes.
| You may use this to apply your own middleware definition, or use some
| of the defaults: web, api
|
*/
'middleware_group' => 'web',