Releases: Blaspsoft/blasp
Release list
v4.0.1
Bug Fixes
- Invisible Unicode bypass: Strip
\p{Cf}format characters (zero-width spaces, invisible separators) from input before processing, so profanity likefuck(with U+2063) is correctly detected - Asterisk censoring bypass: Add
*as a universal letter substitution so censored profanity likef*g,s**t,f**kis detected - Internal masking: Use
\x01instead of*for internal masking during detection loop to prevent re-matching masked text - Null safety: Guard against
preg_replacereturning null on malformed UTF-8 input
v4.0.0
Blasp v4.0.0
A ground-up rewrite with a driver-based architecture, severity scoring, and deep Laravel integration.
New Features
- Driver-based architecture —
regex(obfuscation/substitution detection),pattern(fast exact matching),phonetic(sound-alike evasion via metaphone + Levenshtein), andpipeline(chain multiple drivers together). Extend with custom drivers. - Severity scoring — Profanities categorised as mild/moderate/high/extreme with per-word weights and a 0–100 composite score. Filter by minimum severity threshold.
- Multi-language support — English, Spanish, German, French with language-specific normalizers and severity maps. Check one, many, or all at once via fluent API.
- Masking strategies — Character mask (
*,#), grawlix (!@#$%), or a custom callback. - Eloquent integration —
Blaspabletrait auto-sanitizes or rejects profanity on model save, withwithoutBlaspChecking()for bypassing. - Middleware —
CheckProfanitymiddleware to reject or sanitize profane request fields with configurable severity and field filtering. - Validation rule —
blasp_checkrule with language support. - Blade directive —
@clean($text)for output sanitization. - Str/Stringable macros —
Str::isProfane(),Str::cleanProfanity(), and Stringable equivalents. - Result caching — Configurable cache driver, TTL, and key eviction.
- Events —
ProfanityDetected,ContentBlocked,ModelProfanityDetected. - Testing utilities —
Blasp::fake()for test doubles with assertions.
Breaking Changes
- Namespace flattened —
Blaspsoft\Blasp\Laravel\merged intoBlaspsoft\Blasp\. Update any direct class references. - Service provider renamed —
ServiceProvider→BlaspServiceProvider(auto-discovery handles this). - Config file renamed —
config/config.php→config/blasp.php. Re-publish withphp artisan vendor:publish --tag="blasp-config". - API changes —
check()now returns aResultobject withisOffensive(),clean(),score(),severity(),count(),words(),uniqueWords(). Previous methods likehasProfanity(),getCleanString(),getProfanitiesCount()are removed.
Compatibility
- PHP 8.2+
- Laravel 8.0 – 13.x
Full Changelog
v3.1.9
Bug Fix
- Fix false positives when profanity is a substring of a regular word — Words like
space,spacious,aerospace,workspacewere incorrectly flagged because the profanityspacmatched as a substring. Instead of adding more words to the false positives list, a systematic check now automatically skips pure alphabetic profanity matches embedded inside larger regular words.
Still detected
- Standalone profanity (
spac,fuck,ass) - Obfuscated variants (
sp@c,f-u-c-k,a$$) - Conjugated forms (
fucks,fucker,fuckings) - Compound profanity (
cuntfuck,fuckingshitcuntfuck) - Repeated-letter obfuscation (
ccuunntt,fuuuck)
No longer falsely flagged
- Any regular word containing a profanity substring (
space,spacious,aerospace,cocktails,class, etc.)
Closes #32
v3.1.8
Bug Fixes
- Fixed false positives when profanity detection incorrectly matched across separate words:
"an alert"no longer flags"anal""has 5 faces"no longer flags"ass"
The fix distinguishes between intentional obfuscation (like "@ss" which contains letters + special characters) and accidental word combinations (like "an al" which contains only letters).
What's Changed
- Improved
isSpanningWordBoundary()logic to check if standalone portions contain both letters AND non-letter characters - Added test cases for the new edge cases
v3.1.7
What's Changed
Bug Fixes
-
fix: detect partial spacing profanity obfuscation - Profanity obfuscation using partial spacing is now correctly detected:
"s hit"→ detected as "shit""f uck"→ detected as "fuck""t wat"→ detected as "twat""fu c k"→ detected as "fuck""tw a t"→ detected as "twat"
-
fix: convert byte offset to character offset for multibyte support - Fixed boundary checks to work correctly with multibyte characters (accented letters in French, German, etc.)
Technical Details
The isSpanningWordBoundary() method was refactored to check surrounding context instead of relying on heuristics about single-character parts. This ensures partial spacing obfuscation is detected while still preventing false positives like "This musicals hit".
Full Changelog: v3.1.6...v3.1.7
v3.1.6
Bug Fixes
- Fix accented character false positives (#24): Added
/u(PCRE_UTF8) flag to generated profanity regex patterns, preventing multi-byte UTF-8 characters (e.g.ê,é) from being matched byte-by-byte and causing false positives on words like "tête" and "aré". - Validate UTF-8 input: Added encoding validation at the
check()entry point to sanitize non-UTF-8 strings before regex matching, preventing silentpreg_matchfailures.
v3.1.5
v3.1.4
Bug Fix
- Fix false positive detection for common words (#32) — Words like "assignment", "passion", "classroom", "passenger" were incorrectly flagged because they contain the substring "ass". Added ~200 common English words to the
false_positiveslist covering substrings:ass,tit,cum,nig,rap,nob.
v3.1.3
Bug Fix
- Fix UUID flagged as profanity (#23) — UUIDs like
6ec3e80f-...-144a2ef5800bwere incorrectly flagged because800bmapped toboobvia character substitutions. Added anisInsideHexToken()guard that skips matches inside UUIDs, MD5/SHA hashes, and other long hex strings while leaving normal profanity detection intact.
v3.1.2
Bug Fix
- Fix circular substitution handling (#35) — Replaced sequential
preg_replacewith a single-pass character walker that prevents circular substitutions (e.g., Frenchc→kandk→c) from producing malformed regex. Multi-char substitution values now use alternation instead of character classes. Language-specific substitutions are properly merged again.