Adding global middleware

To prevent some XSS attack, I’d like to add a middleware to my routes.php file in the plugin to clean up any potential malicious url such as<img%20src%3da%20onerror%3dalert(1)>

I cant find a way to add a middleware for every cms routes, maybe this is the wrong way to do this?

anyone any idea please?

1 Like

Documentation about Global Middleware.

To add to this:
in OctoberCMS V3 you also have the app directory with a Provider.php file, which I think is a great place for site/installation-wide modifications.

In your case, I’d go for pushing the middleware directly into the kernel in Provider.php, as I’m not sure the CMSController would be hit for a route as /combine.
I’m not a 100% sure about the request life cycle though, but I think the main difference is that by extending the CMS or BackendController you can choose for which part you want the middleware to apply, while the kernel middlewares get hit for every request.

excellent, thanks guys! working on it with this info.

On a side note, not sure why Laravel is not XSS attack proof already…

Adding some more here. The backend.middleware_group and cms.middleware_group configuration files allow you to change the default middleware group for all relevant routes.

| Middleware Group
| The name of the middleware group to apply to all CMS application routes.
| You may use this to apply your own middleware definition, or use some
| of the defaults: web, api

'middleware_group' => 'web',

I don’t find a way so far to sanitize those sort of annoying urls through the middleware.

I have this so far

public function handle(\Illuminate\Http\Request $request, Closure $next)
    try {
      $userUri = $request->getUri();
      $safeUrl = strip_tags($userUri);
      $safeUrl = filter_var($safeUrl, FILTER_SANITIZE_URL);

      if ($safeUrl != $userUri) {
     return $next($request);

setting the APP_DEBUG env var to false will mitigate this XSS potential attack.