I am using Laravel 5.2 and for some reason the blade standard tags {{...}} are not escaping HTML as wrote in the documentation.
When I tries to write for example {{ HTML::tag('span','hello') }} I get the correct HTML and see hello in my browser. The I get same results if I write {!! HTML::tag('span','hello') !!}.
So why the {{...}} tags does not escaping the HTML tags, as they should?
you should use {{...}} for variable printing.
and {!!...!!} this for normal html. you can just write plain html without braces and it will show correctly.
Related
I am new to Vue js, Inertia and Laravel.
But I have gotten stuck and cannot figure out what the problem is even though I try searching google and looking at videos.
I have this code
<div v-for="(seed, index) in seeds" :key="index">
Id {{ seed.id }}
<inertia-link :href="'/fert/' + '{{ seed.id }}'">
Go to seed
</inertia-link>
</div>
And The first {{ seed.id }} outside of the links looks great, it shows the actual id.
However then {{ seed.id }} within the link formats, so the link shows this:
Id 1Go to seed
Why is it formatting inside the link but not outside? and how to I fix it?
Thanks in advance, and yes I am very noob. sorry
You shouldn't use curly braces in attribute's value.
Using :[attribute-name] already tells Vue that you gonna use some JS expressions in value
:href="'/fert/' + seed.id"
You shouldn't use curly braces within the link. A nicer way to concatenate vars with text is to use template literal ES6 with backticks
<inertia-link :href="`/fert/${seed.id}`">Go to seed</inertia-link>
#Asking
Help me for my problem, when i built a website with Laravel
i am render my post with syntax like this :
<div>
<p>{!! $post->content !!}</p>
</div>
but i have problem, when i insert a i frame inside post, because the html has been removed with {!! !!}.
i have to try use {{ $post->content }}, but all content rendered with HTML
Any solution to this problem? ?
Thanks very much
With {!! you paste content "as is", in other words you become vulnerable to all types of issues like allowing <script> tags to be placed into your templates.
The {{ syntax will escape any HTML thus what you see is the actual html characters without actually parsing it (i.e. doing {{ '<b>bold</b>' }} will not result in a bold font but in the text <b>bold</b>).
Now with your problem: there are some cumbersome ways to filter out any html tags yourself and leave the <iframe>'s in there (something like {!! only_iframe($content) !!}), but it is quite difficult and will likely not result in a safe solution.
Your own answer which stated that you used {!!html_entity_decode($post->content)!!} simply means that your HTML was encoded to start with, which is not something I can deduct from your question. Note that you are now vulnerable to malicious code injection if you are not certain you can control the contents of $post->content.
How to prevent Vue.js from running code within the < code > tags produced by markdown? It's a Laravel 5.5 + Vue.js 2.x project with 'andreasindal/laravel-markdown' package for markdown. The code that's Vue is trying to run is actually a Laravel Blade directive and it seems that Blade itself doesn't try to process it (since I'm getting a Vue error regarding this in the console).
{{ session('notificationType') }}
I tired modifying the Parsedown.php class (which is used by 'andreasindal/laravel-markdown') to replace all the '{' with the HTML ASCII characters. The replacement did work, but Vue still processed those.
If you do not want Vuejs to evaluate anything inside an HTML element you can use the v-pre directive as:
<code v-pre> {{ name }} </code>
In the above example vue will ignore everything inside the tags so, the name variable won't be evaluated and everything will be rendered as is.
* more on v-pre
I've defined a Blade section called title, which I use like, for example, #section('title', 'Log in'), which will then get printed as <h1>Log in</h1>. However on some pages the title will be determined by user input (namely $subject). I've found that if I do #section('title', $subject->name) then this value will not be escaped which leaves my site open to XSS attacks. How can I avoid this?
In Laravel you can use the e helper function to escape values. You should be able to do something like this:
#section('title', e($subject->name))
If you take a look in the BladeCompiler code, you can see that Laravel itself converts the default escaped output ({{ }}) into e(..)
I know that you can change the default blade delimiter using
Blade::setEscapedContentTags('[[', ']]');
Blade::setContentTags('[[[', ']]]');
However I don't know where should I put it so that it only affect single blade template as opposed to putting it at app/start/global.php which affect whole application.
If you only want to use different tags for a single view, you can set the tags in the closure or controller action that will generate the view.
Route::get('/', function()
{
Blade::setEscapedContentTags('[[', ']]');
Blade::setContentTags('[[[', ']]]');
return View::make('home');
});
This could be an issue if you want to use the normal tags {{ and }} in an application layout but your custom ones in a nested view - I'm not sure what the best approach there would be.
The solution with Blade::setEscapedContentTags / Blade::setContentTags doesn't work in the latest versions of Laravel (checked at 5.6).
The recommended approach is (https://laravel.com/docs/5.6/blade#blade-and-javascript-frameworks):
Blade & JavaScript Frameworks
Since many JavaScript frameworks also use "curly" braces to indicate a
given expression should be displayed in the browser, you may use the #
symbol to inform the Blade rendering engine an expression should
remain untouched. For example:
Hello, #{{ name }}.
In this example, the #symbol will be removed by
Blade; however, {{ name }} expression will remain untouched by the
Blade engine, allowing it to instead be rendered by your JavaScript
framework.
The #verbatim Directive
If you are displaying JavaScript variables in
a large portion of your template, you may wrap the HTML in the
#verbatim directive so that you do not have to prefix each Blade echo
statement with an # symbol:
#verbatim
<div class="container">
Hello, {{ name }}.
</div>
#endverbatim
Simply use #verbatim directive.wrap your whole code in it and blade will just ignore all the curly braces.