Laravel Escaping All HTML in Blade Template

I'm building a small CMS in Laravel and I tried to show the content (which is stored in the DB). It is showing the HTML tags instead of executing them. Its like there is an auto html_entity_decode for all printed data.

<?php


class CmsController extends BaseController
{
public function Content($name)
{
$data = Pages::where('CID', '=', Config::get('company.CID'))
->where('page_name', '=', $name)
->first();


return View::make('cms.page')->with('content', $data);
}
}

I tried to print the content using the curly brace.

{{ $content->page_desc }}

and triple curly brace.

{{{ $content->page_desc }}}

And they give the same result. I need to execute those HTML tags instead of escaping them.

126097 次浏览

There is no problem with displaying HTML code in blade templates.

For test, you can add to routes.php only one route:

Route::get('/', function () {


$data = new stdClass();
$data->page_desc
= '<strong>aaa</strong><em>bbb</em>
<p>New paragaph</p><script>alert("Hello");</script>';


return View::make('hello')->with('content', $data);
}
);

and in hello.blade.php file:

<!doctype html>
<html lang="en">
<head>
<meta charset="UTF-8">
</head>
<body>


\{\{ $content->page_desc }}


</body>
</html>

For the following code you will get output as on image

Output

So probably page_desc in your case is not what you expect. But as you see it can be potential dangerous if someone uses for example '` tag so you should probably in your route before assigning to blade template filter some tags

EDIT

I've also tested it with putting the same code into database:

Route::get('/', function () {


$data = User::where('id','=',1)->first();


return View::make('hello')->with('content', $data);
}
);

Output is exactly the same in this case

Edit2

I also don't know if Pages is your model or it's a vendor model. For example it can have accessor inside:

public function getPageDescAttribute($value)
{
return htmlspecialchars($value);
}

and then when you get page_desc attribute you will get modified page_desc with htmlspecialchars. So if you are sure that data in database is with raw html (not escaped) you should look at this Pages class

\{\{html_entity_decode ($post->content())}} saved the issue for me with Laravel 4.0. Now My HTML content is interpreted as it should.

Change your syntax from \{\{ }} to {!! !!}.

As The Alpha said in a comment above (not an answer so I thought I'd post), in Laravel 5, the \{\{ }} (previously non-escaped output syntax) has changed to {!! !!}. Replace \{\{ }} with {!! !!} and it should work.

Include the content in {! <content> !} .

use this tag {!! description text !!}

I had the same issue. Thanks for the answers above, I solved my issue. If there are people facing the same problem, here is two way to solve it:

  • You can use {!! $news->body !!}
  • You can use traditional php openning (It is not recommended) like: <?php echo $string ?>

I hope it helps.