问题
I'm trying to create form that create users like this and this form will be use for displaying data also using Form Model Binding:
{{ Form::open(['url' => 'admin/users/create']) }}
<div class="form-group">
{{ Form::label('first_name', 'First Name : ') }}
{{ Form::text('first_name', null, ['class' => 'form-control']) }}
</div>
<div class="form-group">
{{ Form::label('last_name', 'Last Name : ') }}
{{ Form::text('last_name', null, ['class' => 'form-control']) }}
</div>
{{ Form::close() }}
however it showing the code not the actual view, so I see in my browser this code :
<form method="POST" action="http://localhost:8000/admin/users/create" accept-charset="UTF-8">
<input name="_token" type="hidden" value="X5MA46MJctYOYeMtZF1RoQKYmWDtAbsSoxwoOA8Y">
<label for="first_name">First Name : </label>
<input class="form-control" name="first_name" type="text" id="first_name">
<label for="last_name">Last Name : </label>
<input class="form-control" name="last_name" type="text" id="last_name">
</form>
but when trying to using {!! !!} as the open and close brackets, the code works and showing the actual view.
I'm still dont understand why I can't use {{ }} as my bracket using laravel-collective and if you see this Project it's work fine.
Also kinda afraid of XSS attack just like laravel documentation said on the section Displaying Unescaped Data:
Note: Be very careful when echoing content that is supplied by users of your application. Always use the double curly brace syntax to escape any HTML entities in the content.
any helpful explanation on this? thank you
NOTE : I'm using Laravel Version 5.1.40 (LTS)
回答1:
Because {{ }} is used for escaping HTML entities to prevent XSS attacks for your input being displayed from your server/database.
so if someone had inserted a malicious code in your database then it would not be executable for a user and instead just print out on the screen. like so
$dbValue = "<script> Some evil code </script>";
{{ $dbValue }}
It'll output as this
<script> Some evil code </script>
And because Laravel Collective HTML FORM IS generating HTML for you to display then you have to use {!! !!} to prevent escaping.
{!! "<b>Bold Text</b>" !!}
then it'll output this
Bold Text
For generating HTML it's fine but you've to be careful about your values being sent to your server and being displayed out to a user. There you'll always have to escape your data with {{ }}
来源:https://stackoverflow.com/questions/38799056/using-double-curly-brace-in-laravel-collective