Process Markdown Securely with Laravel's inlineMarkdown Method

Last updated on by

Process Markdown Securely with Laravel's inlineMarkdown Method image

Laravel enhances string processing capabilities with the inlineMarkdown method, providing secure transformation of GitHub-flavored Markdown into inline HTML with built-in XSS protection and customizable security options.

The inlineMarkdown method enables safe Markdown conversion with granular control over security settings:

use Illuminate\Support\Str;
 
// Basic conversion
$html = Str::inlineMarkdown('**Laravel**');
// Result: <strong>Laravel</strong>
 
// Secure conversion with options
$html = Str::inlineMarkdown(
'Inject: <script>alert("Hello XSS!");</script>',
[
'html_input' => 'strip',
'allow_unsafe_links' => false,
]
);
// Result: Inject: alert("Hello XSS!");

This method proves particularly valuable in user-generated content systems:

class ContentProcessor
{
protected $secureOptions = [
'html_input' => 'strip',
'allow_unsafe_links' => false
];
 
public function formatPost(string $content)
{
return Str::inlineMarkdown(
$content,
$this->secureOptions
);
}
 
public function processHashtags(string $content)
{
// Convert #hashtag to links while preserving markdown
$processed = preg_replace(
'/#(\w+)/',
'[#$1](/tags/$1)',
$content
);
 
return Str::inlineMarkdown(
$processed,
$this->secureOptions
);
}
 
public function formatSystemMessage(string $template, array $variables)
{
$content = strtr($template, $variables);
 
return Str::inlineMarkdown(
$content,
[
'html_input' => 'escape',
'allow_unsafe_links' => false
]
);
}
}
 
// Usage
$processor = new ContentProcessor();
 
$post = $processor->formatPost('**Breaking** news update!');
$hashtag = $processor->processHashtags('Love #Laravel development!');

The method excels in forum and discussion systems where rich formatting needs security:

class ForumPostService
{
public function processReply(string $content, User $author)
{
// Handle code blocks and formatting
$formatted = Str::inlineMarkdown($content, [
'html_input' => 'strip',
'allow_unsafe_links' => false,
'use_autolinks' => true
]);
 
return $this->addAuthorContext($formatted, $author);
}
 
public function formatQuote(string $originalContent, string $newContent)
{
$quote = "> " . str_replace("\n", "\n> ", $originalContent);
$combined = $quote . "\n\n" . $newContent;
 
return Str::inlineMarkdown($combined, [
'html_input' => 'strip',
'allow_unsafe_links' => false
]);
}
 
public function processCodeSnippet(string $content)
{
return Str::inlineMarkdown($content, [
'html_input' => 'strip',
'allow_unsafe_links' => false,
'use_underline' => false // Prevent conflicts with code
]);
}
}

For notification systems requiring formatted messages:

class NotificationFormatter
{
public function formatActivityUpdate(Activity $activity)
{
$template = '**{user}** {action} in *{project}*';
 
$message = strtr($template, [
'{user}' => $activity->user->name,
'{action}' => $activity->description,
'{project}' => $activity->project->title
]);
 
return Str::inlineMarkdown($message, [
'html_input' => 'escape',
'allow_unsafe_links' => false
]);
}
 
public function formatSystemAlert(string $message, array $context = [])
{
$processed = strtr($message, $context);
 
return Str::inlineMarkdown($processed, [
'html_input' => 'strip',
'allow_unsafe_links' => false,
'use_autolinks' => false // Disable for security
]);
}
}

The inlineMarkdown method ensures secure Markdown processing by providing comprehensive XSS protection while maintaining the flexibility to format user content with common Markdown syntax like bold, italic, links, and code spans.

Harris Raftopoulos photo

Senior Software Engineer • Staff & Educator @ Laravel News • Co-organizer @ Laravel Greece Meetup

Cube

Laravel Newsletter

Join 40k+ other developers and never miss out on new tips, tutorials, and more.

image
SerpApi

The Web Search API for Your LLM and AI Applications

Visit SerpApi
Acquaint Softtech logo

Acquaint Softtech

Acquaint Softtech offers AI-ready Laravel developers who onboard in 48 hours at $3000/Month with no lengthy sales process and a 100 percent money-back guarantee.

Acquaint Softtech
Tinkerwell logo

Tinkerwell

The must-have code runner for Laravel developers. Tinker with AI, autocompletion and instant feedback on local and production environments.

Tinkerwell
Lucky Media logo

Lucky Media

Get Lucky Now - the ideal choice for Laravel Development, with over a decade of experience!

Lucky Media
Shift logo

Shift

Running an old Laravel version? Instant, automated Laravel upgrades and code modernization to keep your applications fresh.

Shift
Harpoon: Next generation time tracking and invoicing logo

Harpoon: Next generation time tracking and invoicing

The next generation time-tracking and billing software that helps your agency plan and forecast a profitable future.

Harpoon: Next generation time tracking and invoicing
Laravel Cloud logo

Laravel Cloud

Easily create and manage your servers and deploy your Laravel applications in seconds.

Laravel Cloud
No Compromises logo

No Compromises

Joel and Aaron, the two seasoned devs from the No Compromises podcast, are now available to hire for your Laravel project. ⬧ Flat rate of $9500/mo. ⬧ No lengthy sales process. ⬧ No contracts. ⬧ 100% money back guarantee.

No Compromises
PhpStorm logo

PhpStorm

The go-to PHP IDE with extensive out-of-the-box support for Laravel and its ecosystem.

PhpStorm
Kirschbaum logo

Kirschbaum

Providing innovation and stability to ensure your web application succeeds.

Kirschbaum
SaaSykit: Laravel SaaS Starter Kit logo

SaaSykit: Laravel SaaS Starter Kit

SaaSykit is a Multi-tenant Laravel SaaS Starter Kit that comes with all features required to run a modern SaaS. Payments, Beautiful Checkout, Admin Panel, User dashboard, Auth, Ready Components, Stats, Blog, Docs and more.

SaaSykit: Laravel SaaS Starter Kit

The latest

View all →
EnvKit: A Local Development Stack for Laravel on Windows and macOS image

EnvKit: A Local Development Stack for Laravel on Windows and macOS

Read article
A Copy/Paste Detector CLI for PHP 8.5+ image

A Copy/Paste Detector CLI for PHP 8.5+

Read article
Commune: A Private Community for Founders and Builders image

Commune: A Private Community for Founders and Builders

Read article
 Laravel AI Tasks: An AI Orchestration Package for Queues, Logging, and Cost Control image

Laravel AI Tasks: An AI Orchestration Package for Queues, Logging, and Cost Control

Read article
Worker Metrics on the WorkerStopping Event in Laravel 13.18 image

Worker Metrics on the WorkerStopping Event in Laravel 13.18

Read article
Clonio CLI: Clone Production Databases With Anonymized Data image

Clonio CLI: Clone Production Databases With Anonymized Data

Read article