Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is this Blade sanitation working correctly (double vs triple curly braces)?

Tags:

php

filter

laravel

blade

I apologize that this is most likely a misunderstanding of my own, rather than there being an actual problem. I'm fairly new to Laravel and Blade templating, and I'm trying to output a few fields taken from an Input::get. When I output the fields via double and triple curly braces, however, there doesn't seem to be a difference between the output.

Here is an excerpt of my View:

@ $data = Input::only('name', 'date');

{{ "Unfiltered input: ".$data['name'] }}

<br />

{{{ "Filtered input: ".$data['name'] }}}

But when I provide an input with special characters or code and I view the source of the rendered page, I see the same, unfiltered input rendered for both.

As per the Laravel documentation, I want to strictly use the {{{ }}} when outputting to a View, but I don't see it actually being "escaped or purified". I haven't quite gotten to setting up the Validation, which is where I believe the main brunt of the security and sanitation is, correct? But just focusing on this for now, am I misunderstanding what the triple curly braces are supposed to do? Or are they doing there job behind the scenes and I'm just not seeing it in the end result? Is there something else I should be doing (in addition to setting up the Validation layer) when outputting user-input like this?

like image 852
cchapman Avatar asked Feb 13 '15 16:02

cchapman

1 Answers

Laravel 4

The only difference between the double and triple curly braces is that the triple curly braces runs the value through the e() helper function, which is just a shortcut to the PHP htmlentities function.

{{ "Unfiltered input: ".$data['name'] }}
{{{ "Filtered input: ".$data['name'] }}}

is compiled into:

<?php echo "Unfiltered input: ".$data['name']; ?>
<?php echo e("Filtered input: ".$data['name']); ?>

But, all of this happens on output. It doesn't have anything to do with sanitizing input.

Laravel 5

In Laravel 5, the Blade syntax was changed so that double curly braces ({{ }}) will escape the output, and a new curly brace double exclamation syntax ({!! !!}) will not escape the output.

So, 

{{ "Filtered input: ".$data['name'] }}
{!! "Unfiltered input: ".$data['name'] !!}

is compiled into:

<?php echo e("Filtered input: ".$data['name']); ?>
<?php echo "Unfiltered input: ".$data['name']; ?>
like image 195
patricus Avatar answered Sep 21 '22 19:09

patricus
Sign in to Comment

Related questions

Converting indexed array to normal or simple array
Logging out with HTTP Basic Auth in Laravel
cakePHP value for empty option
Call function directly after constructor: new Object()->callFunction()
How to get first letter of every word using regex in PHP
Can't get http to work in php
Different results for date() and gmdate()
Error: Permission denied to access property 'document'
PHP: Undefined index even if it exists
Autocomplete in yii2
Converting array elements into range in php
How do I validate a drop down list in Laravel PHP?
Phalcon save not working
How to avoid “memory … exhausted” error when using debug_backtrace() in custom error handler?
How is the best way to add select with choices to filters in Sonata Admin?
Add a fee to WooCommerce per product, based on category
Laravel 4.*: Get all cookies
Show data in current day, week, month and year
Class 'App\models\Test' not found when try to access model
Laravel 5 and Socialite, how to save in the database and log-in

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!