Laravel Escaping All HTML in Blade Template

72
votes

I'm building a small CMS in Laravel and I tried to show the content (which is stored in the DB). It is showing the HTML tags instead of executing them. Its like there is an auto html_entity_decode for all printed data.

<?php

class CmsController extends BaseController
{
    public function Content($name)
    {    
        $data = Pages::where('CID', '=', Config::get('company.CID'))
            ->where('page_name', '=', $name)
            ->first();

        return View::make('cms.page')->with('content', $data);
    }
}

I tried to print the content using the curly brace.

{{ $content->page_desc }}

and triple curly brace.

{{{ $content->page_desc }}}

And they give the same result. I need to execute those HTML tags instead of escaping them.

6
phplaravellaravel-4laravel-blade
In latest version ver-5.0 {{...}} and {{{...}}} both does this, what version do you have exactly ?The Alpha
im using version 4.2Dr.Neo
Then I'm not sure why {{...}} gives escaped result!The Alpha
In v-5, use {!! !!} for normal output (without esc).The Alpha
Are they stored as "tags" or already escaped in the db? Because else I would see it like The Alpha, this should only be the case in v5 of laraveltheiNaD

6 Answers

168
votes

Change your syntax from {{ }} to {!! !!}.

As The Alpha said in a comment above (not an answer so I thought I'd post), in Laravel 5, the {{ }} (previously non-escaped output syntax) has changed to {!! !!}. Replace {{ }} with {!! !!} and it should work.

16
votes

use this tag {!! description text !!}

8
votes

I had the same issue. Thanks for the answers above, I solved my issue. If there are people facing the same problem, here is two way to solve it:

  • You can use {!! $news->body !!}
  • You can use traditional php openning (It is not recommended) like: <?php echo $string ?>

I hope it helps.

7
votes

Include the content in {! <content> !} .

2
votes

There is no problem with displaying HTML code in blade templates.

For test, you can add to routes.php only one route:

Route::get('/', function () {

        $data = new stdClass();
        $data->page_desc
            = '<strong>aaa</strong><em>bbb</em>
               <p>New paragaph</p><script>alert("Hello");</script>';

        return View::make('hello')->with('content', $data);
    }
);

and in hello.blade.php file:

<!doctype html>
<html lang="en">
<head>
    <meta charset="UTF-8">
</head>
<body>

{{ $content->page_desc }}

</body>
</html>

For the following code you will get output as on image

Output

So probably page_desc in your case is not what you expect. But as you see it can be potential dangerous if someone uses for example '` tag so you should probably in your route before assigning to blade template filter some tags

EDIT

I've also tested it with putting the same code into database:

Route::get('/', function () {

        $data = User::where('id','=',1)->first();

        return View::make('hello')->with('content', $data);
    }
);

Output is exactly the same in this case

Edit2

I also don't know if Pages is your model or it's a vendor model. For example it can have accessor inside:

public function getPageDescAttribute($value)
{
    return htmlspecialchars($value);
}

and then when you get page_desc attribute you will get modified page_desc with htmlspecialchars. So if you are sure that data in database is with raw html (not escaped) you should look at this Pages class

-4
votes

{{html_entity_decode ($post->content())}} saved the issue for me with Laravel 4.0. Now My HTML content is interpreted as it should.