Yes, you can use some php functions in the blade syntax, although this is not documented correctly and you need to be careful too, since {{}} is the same as echo, so if you put something like print(), print_r or var_dump will work, but more complex things don't work, it literally doesn't replace
Why an iframe?
Note that this is not a common iframe, it has the sandbox attribute, while the strip_tags () function has removed the tags, the iframe will literally kill onclick (), onerro () and the like, isolating the code, however, a A pessimist will say that he can still use the address bar, in fact laravel already has an escape, but you can create middleware and list it in the middlewaregroup at app / http /kernel.php. So, you will have the opportunity to make sure that the requested url is eligible
Less painful alternative
As this article explains: https://kuztek.com/blog/use-laravel-purifier-securit you can use the HTMLPurifier, follow the procedure below
Install the package:
composer require mews/purifier
Generate the configuration file:
php artisan vendor:publish --provider="Mews\Purifier\PurifierServiceProvider"
Change 'HTML.Allowed' in config / purifier.php
'HTML.Allowed' => 'h1[class],h2[class],h3[class],h4[class],h5[class],div[class],b,strong[style|class],i[class],em,a[href|title|class],ul[style|class],ol[style|class],li[style|class],p[style|class],br,blockquote[class],span[style|class],img[width|height|alt|src|class]',
No further action is needed, just call it on the blade, replacing $body with the variable containing the html code
{{ clean($body) }}
![](\"images/test.jpg\")
