发表新帖
发表新帖

Laravel Escaping All HTML in Blade Template

后端 未结
关注
6 1602
迷失自我
迷失自我 2020-11-30 07:01

I\'m building a small CMS in Laravel and I tried to show the content (which is stored in the DB). It is showing the HTML tags instead of executing them. Its like there is an

相关标签:
6条回答
  • 小蘑菇
    2020-11-30 07:35

    Change your syntax from {{ }} to {!! !!}.

    As The Alpha said in a comment above (not an answer so I thought I'd post), in Laravel 5, the {{ }} (previously non-escaped output syntax) has changed to {!! !!}. Replace {{ }} with {!! !!} and it should work.

    0 讨论(0)
  • 慢半拍i
    2020-11-30 07:37

    {{html_entity_decode ($post->content())}} saved the issue for me with Laravel 4.0. Now My HTML content is interpreted as it should.

    0 讨论(0)
  • 轻奢々
    2020-11-30 07:38

    There is no problem with displaying HTML code in blade templates.

    For test, you can add to routes.php only one route:

    Route::get('/', function () {

        $data = new stdClass();
        $data->page_desc
            = '<strong>aaa</strong><em>bbb</em>
               <p>New paragaph</p><script>alert("Hello");</script>';

        return View::make('hello')->with('content', $data);
    }
);

    and in hello.blade.php file:

    <!doctype html>
<html lang="en">
<head>
    <meta charset="UTF-8">
</head>
<body>

{{ $content->page_desc }}

</body>
</html>

    For the following code you will get output as on image

    Output

    So probably page_desc in your case is not what you expect. But as you see it can be potential dangerous if someone uses for example '` tag so you should probably in your route before assigning to blade template filter some tags

    EDIT

    I've also tested it with putting the same code into database:

    Route::get('/', function () {

        $data = User::where('id','=',1)->first();

        return View::make('hello')->with('content', $data);
    }
);

    Output is exactly the same in this case

    Edit2

    I also don't know if Pages is your model or it's a vendor model. For example it can have accessor inside:

    public function getPageDescAttribute($value)
{
    return htmlspecialchars($value);
}

    and then when you get page_desc attribute you will get modified page_desc with htmlspecialchars. So if you are sure that data in database is with raw html (not escaped) you should look at this Pages class

    0 讨论(0)
  • 梦如初夏
    2020-11-30 07:40

    I had the same issue. Thanks for the answers above, I solved my issue. If there are people facing the same problem, here is two way to solve it:

    • You can use {!! $news->body !!}
    • You can use traditional php openning (It is not recommended) like: <?php echo $string ?>

    I hope it helps.

    0 讨论(0)
  • 独厮守ぢ
    2020-11-30 07:57

    use this tag {!! description text !!}

    0 讨论(0)
  • 迷失自我
    2020-11-30 08:01

    Include the content in {! !} .

    0 讨论(0)
 看不清?
提交回复
热议问题