Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is this Blade sanitation working correctly (double vs triple curly braces)?

I apologize that this is most likely a misunderstanding of my own, rather than there being an actual problem. I'm fairly new to Laravel and Blade templating, and I'm trying to output a few fields taken from an Input::get. When I output the fields via double and triple curly braces, however, there doesn't seem to be a difference between the output.

Here is an excerpt of my View:

@ $data = Input::only('name', 'date');

{{ "Unfiltered input: ".$data['name'] }}

<br />

{{{ "Filtered input: ".$data['name'] }}}

But when I provide an input with special characters or code and I view the source of the rendered page, I see the same, unfiltered input rendered for both.

As per the Laravel documentation, I want to strictly use the {{{ }}} when outputting to a View, but I don't see it actually being "escaped or purified". I haven't quite gotten to setting up the Validation, which is where I believe the main brunt of the security and sanitation is, correct? But just focusing on this for now, am I misunderstanding what the triple curly braces are supposed to do? Or are they doing there job behind the scenes and I'm just not seeing it in the end result? Is there something else I should be doing (in addition to setting up the Validation layer) when outputting user-input like this?

like image 852
cchapman Avatar asked Feb 13 '15 16:02

cchapman


1 Answers

Laravel 4

The only difference between the double and triple curly braces is that the triple curly braces runs the value through the e() helper function, which is just a shortcut to the PHP htmlentities function.

{{ "Unfiltered input: ".$data['name'] }}
{{{ "Filtered input: ".$data['name'] }}}

is compiled into:

<?php echo "Unfiltered input: ".$data['name']; ?>
<?php echo e("Filtered input: ".$data['name']); ?>

But, all of this happens on output. It doesn't have anything to do with sanitizing input.

Laravel 5

In Laravel 5, the Blade syntax was changed so that double curly braces ({{ }}) will escape the output, and a new curly brace double exclamation syntax ({!! !!}) will not escape the output.

So,

{{ "Filtered input: ".$data['name'] }}
{!! "Unfiltered input: ".$data['name'] !!}

is compiled into:

<?php echo e("Filtered input: ".$data['name']); ?>
<?php echo "Unfiltered input: ".$data['name']; ?>
like image 195
patricus Avatar answered Sep 21 '22 19:09

patricus