Swiftpack.co - Package - vapor-community/moat



A line of defense for your Vapor application including XSS attack filtering + extras.

Why use it?

Moat provides custom Leaf tags and string extensions to filter for src and href attribute XSS attacks, protecting unencoded HTML with esoteric XSS techniques, censoring profanity, and allowing for pure unchanged HTML.

Moat should be used alongside other protections such as a strong Content Security Policy (CSP) policy. A CSP policy gives directives to the browser to what and from where certain resources can be loaded from the page containing the CSP header. Please see the brokenhandsio/VaporSecurityHeaders library to add security headers to your Vapor application. Additionally, you can check the strength of your CSP policy with Google's CSP Evaluator.

For more information on Vapor application security please visit Broken Hands' Security And Your Vapor Application article.

Filters will be updated regularly to protect against the latest XSS attacks



Protects src or href attributes from XSS attacks. For example the payload javascript:alert('Vapor') or data:text/html;base64,PHNjcmlwdD5hbGVydCgnVmFwb3InKTwvc2NyaXB0Pg== are not escaped via templating engines or HTML encoding. These should be protected when embedded in src, href or data attributes (<a href=“javascript:alert('Vapor')”>XSS</a>). For example javascript:alert(1) becomes the non-exploitable javascriptalert(1).


Provides XSS protection to raw HTML strings whether via custom Leaf tag or strings. For example <img src=x onerror="alert(1)"> becomes the safe <img src=x ="alert(1)">
Note: Not all XSS attacks are mitigated as content is not HTML escaped.


Provides a customizable array to censor words or dictionary to replace words with alternatives. For example fudge into ***** or damn into dang.

¯\(ツ)/¯ (shrug)

Allows for raw unescaped, unfiltered and unprotected HTML to be passed to Leaf. For example the XSS exploit <script>alert(1)</script> is unprotected and not HTML encoded or filtered.


  • Use the #src(string) or #href(string) in Leaf
  • Use the #html(string) in Leaf
  • Use string.xssFilter() on strings
  • Use the #clean(string) in Leaf
  • Use string.profanityFilter() on strings
¯\(ツ)/¯ (shrug)
  • Use the #shrug(string) in Leaf


Add Moat to your Package.swift

dependencies: [
   .package(url: "https://github.com/vapor-community/moat.git", from: "0.0.5")

Add Leaf tags to your configure.swift

    var tags = LeafTagConfig.default()
    tags.use(ProfanityTag(), as: "clean")
    tags.use(SrcTag(), as: "src")
    tags.use(SrcTag(), as: "href")
    tags.use(HtmlTag(), as: "html")
    tags.use(ShrugTag(), as: "shrug") // ¯\_(ツ)_/¯


The Filter.swift contains a customizable list of filters:ProtanityFilter, XSSFilter, SrcFilter, and HtmlEncodeFilter. They each contain an array (filterArray) and a dictionary (filterDict). Items in the array will be removed when filters, while the dictionary keys will be replaced with it's corresponding value.


More information on XSS (Cross-Site Scripting):


Stars: 4
Help us keep the lights on


Used By

Total: 0


0.0.5 - Jun 6, 2018

This release contains a patch to fix public declaration errors for custom Leaf tags.

0.0.4 - Jun 5, 2018

Package.Swift Updated for Leaf + Fixes

0.0.1 - Jun 2, 2018

Initial pre-release of Moat.