For example, I have a blog, and to add news, I need to enclose text in tags. But when I bring the news, Laravel does not recognize the tags. How to make the laravel recognize the tags, or the text editing solution is ready to eat, it may look like here on Stackowerflow.
2 answers
By default, all displayed content is screened; all HTML elements and entities are shown as is, rather than processed by the browser. If you do not want the data to be escaped, use the following syntax:
Hello, {!! $name !!}. Those. The $name variable may contain the following code:
<script> alert('Name'); </script> But, as you know, it is not safe, because I can add while , thereby breaking the site ..
<script> while(1) alert('Name'); </script> UPD
Even on the off site it says:
Blade
{{ }}statements to prevent XSS attacks .
entithat entithat
3.583 1 golden mark 7 silver marks 28 bronze marks
- Note: Be careful with displaying content that is received from users. Always use double curly braces to escape possible HTML elements and entities. What is it like? can be an example. - Anton Pivovarov
- @ AntonPivovarov, for example, when registering, the user could enter this script in the Name field. And then when displaying the username as the author of the post or something else, you can fall for this trick and the script will be executed (maybe even each user, if the post can see everything) . Therefore, it is worth displaying it through
{{ }}, an example:{{ $post->text }}. - entithat - one@ AntonPivovarov that is the point is that {!! $ name !!} is better to use on content that you fully trust (either which you contribute yourself, or which goes through additional processing on xss), but {{$ name}} will do these checks for you. - Denis Startsev
|
When outputting, use
{!! $name !!} 
Denis Startsev Denis Startsev
1,067 5 silver marks 14 bronze marks
|