I have a string returned to one of my views, like this:
$text = \'Lorem ipsum dolor
Please use
{!! $test !!}
Only in case of HTML while if you want to render data, sting etc. use
{{ $test }}
This is because when your blade file is compiled
{{ $test }}
is converted to <?php echo e($test) ?>
while
{!! $test !!}
is converted to <?php echo $test ?>
its a simple
{!! $text !!}
laravel compile as a dom element and {{$text}}
print as a string
This works fine for Laravel 5.6
<?php echo "$text"; ?>
In a different way
{!! $text !!}
It will not render HTML code and print as a string.
For more details open link:- Display HTML with Blade
Try this. It worked for me.
{{ html_entity_decode($text) }}
In Laravel Blade template, {{ }} wil escape html. If you want to display html from controller in view, decode html from string.
On controller.
$your_variable = '';
$your_variable .= '<p>Hello world</p>';
return view('viewname')->with('your_variable', $your_variable)
If you do not want your data to be escaped, you may use the following syntax:
{!! $your_variable !!}
Output
Hello world
Unbelievable, several identical and consequently wrong answers.
Laravel saves pure php code to Storage/fremework/view
Of course, if you have thousands of views, it will take a century to find the one you want, but open any one and see that where there were {{ $text }} now there are <?php echo $text; ?>
then forget {{ $text }} and use <?php print($text); ?>
, but it's still not a good idea, if strangers created the html, then let's create our criteria:
//Controller
<?php
$body = strip_tags($text, '<strong><span><p><b><small><pre><div><br><img><video><a><ul><li><ol><i><font><blockquote>');
return view('myview', compact('body'));
?>
//Blade
<iframe srcdocs="{{print($body)}}" sandbox></iframe>
or
<iframe srcdocs="{{$body}}" sandbox></iframe>
Allowed tags
<strong><span><p><b><small><pre><div><br><img><video><a><ul><li><ol><i><font><blockquote>
Yes, you can use some php functions in the blade syntax, although this is not documented correctly and you need to be careful too, since {{}} is the same as echo, so if you put something like print(), print_r or var_dump will work, but more complex things don't work, it literally doesn't replace <?php ?>
Why an iframe?
Note that this is not a common iframe, it has the sandbox attribute, while the strip_tags () function has removed the tags, the iframe will literally kill onclick (), onerro () and the like, isolating the code, however, a A pessimist will say that he can still use the address bar, in fact laravel already has an escape, but you can create middleware and list it in the middlewaregroup at app / http /kernel.php. So, you will have the opportunity to make sure that the requested url is eligible
Less painful alternative
As this article explains: https://kuztek.com/blog/use-laravel-purifier-securit you can use the HTMLPurifier, follow the procedure below
Install the package:
composer require mews/purifier
Generate the configuration file:
php artisan vendor:publish --provider="Mews\Purifier\PurifierServiceProvider"
Change 'HTML.Allowed' in config / purifier.php
'HTML.Allowed' => 'h1[class],h2[class],h3[class],h4[class],h5[class],div[class],b,strong[style|class],i[class],em,a[href|title|class],ul[style|class],ol[style|class],li[style|class],p[style|class],br,blockquote[class],span[style|class],img[width|height|alt|src|class]',
No further action is needed, just call it on the blade, replacing $body with the variable containing the html code
{{ clean($body) }}