Laravel e function (htmlentities) is not fully working, scripts can still be executed (only once)

假装没事ソ 提交于 2020-01-05 08:06:30

问题


I am trying to use the e function in Laravel which is equivalent to the htmlentities PHP function.

In my Form view and Controller I am trying to save a document that uses the e function which looks like this:

Form view:

{{ Form::text('client_name') }}

Controller:

$client = new Client;
$client->client_name = e(Input::get('client_name'));
$client->save();

Say I wrote <script type="text/javascript">alert('gotcha!');</script> into the client_name field. I then save it to database but when it redirects after it saves to db, it runs this script once! Also just to make sure that the e function was working correctly I looked into my db and it is as expected:

"&lt;script type=&quot;text/javascript&quot;&gt;alert(&#039;gotcha!&#039;);&lt;/script&gt;"

My question is how can I avoid executing that javascript alert('gotcha')??

Or am I putting this e function or the htmlentities function in the wrong place?'

thanks!


回答1:


You are running the e() at the wrong place. Escaping is best saved for output of data - not the input.

Your controller should do this:

$client = new Client;
$client->client_name = Input::get('client_name');
$client->save();

Your Form view is ok with the following - because Form "escapes" the data automatically

{{ Form::text('client_name') }}

But after you create the client and do the redirect - I bet somewhere you are doing this

{{ $client->client_name }}

You should change it to this

{{{ $client->client_name }}}

Note the third { } - which will automatically escape the data for you



来源:https://stackoverflow.com/questions/23718646/laravel-e-function-htmlentities-is-not-fully-working-scripts-can-still-be-exe

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!