问题
I am trying to use the e function in Laravel which is equivalent to the htmlentities PHP function.
In my Form view and Controller I am trying to save a document that uses the e function which looks like this:
Form view:
{{ Form::text('client_name') }}
Controller:
$client = new Client;
$client->client_name = e(Input::get('client_name'));
$client->save();
Say I wrote <script type="text/javascript">alert('gotcha!');</script>
into the client_name field. I then save it to database but when it redirects after it saves to db, it runs this script once! Also just to make sure that the e function was working correctly I looked into my db and it is as expected:
"<script type="text/javascript">alert('gotcha!');</script>"
My question is how can I avoid executing that javascript alert('gotcha')
??
Or am I putting this e function or the htmlentities function in the wrong place?'
thanks!
回答1:
You are running the e() at the wrong place. Escaping is best saved for output of data - not the input.
Your controller should do this:
$client = new Client;
$client->client_name = Input::get('client_name');
$client->save();
Your Form view is ok with the following - because Form "escapes" the data automatically
{{ Form::text('client_name') }}
But after you create the client and do the redirect - I bet somewhere you are doing this
{{ $client->client_name }}
You should change it to this
{{{ $client->client_name }}}
Note the third { } - which will automatically escape the data for you
来源:https://stackoverflow.com/questions/23718646/laravel-e-function-htmlentities-is-not-fully-working-scripts-can-still-be-exe