I have a string returned to one of my views, like this:
$text = '<p><strong>Lorem</strong> ipsum dolor <img src="images/test.jpg"></p>'
I'm trying to display it with Blade:
{{$text}}
However, the output is a raw string instead of rendered HTML. How do I display HTML with Blade in Laravel?
PS. PHP echo() displays the HTML correctly.
You can try this:
{!! $text !!}
You should have a look at: http://laravel.com/docs/5.0/upgrade#upgrade-5.0
There is another way. If object purpose is to render html you can implement \Illuminate\Contracts\Support\Htmlable contract that has toHtml() method.
Then you can render that object from blade like this: {{ $someObject }} (note, no need for {!! !!} syntax).
Also if you want to return html property and you know it will be html, use \Illuminate\Support\HtmlString class like this:
public function getProductDescription()
{
return new HtmlString($this->description);
}
and then use it like {{ $product->getProductDescription() }}.
Of course be responsible when directly rendering raw html on page.
You can do that using three ways first use if condition like below
{!! $text !!}
The is Second way
<td class="nowrap">
@if( $order->status == '0' )
<button class="btn btn-danger">Inactive</button>
@else
<button class="btn btn-success">Active</button>
@endif
</td>
The third and proper way for use ternary operator on blade
<td class="nowrap">
{!! $order->status=='0' ?
'<button class="btn btn-danger">Inactive</button> :
'<button class="btn btn-success">Active</button> !!}
</td>
I hope the third way is perfect for used ternary operator on blade.
This works fine for Laravel 5.6
<?php echo "$text"; ?>
In a different way
{!! $text !!}
It will not render HTML code and print as a string.
For more details open link:- Display HTML with Blade
To add further explanation, code inside Blade {{ }} statements are automatically passed through the htmlspecialchars() function that php provides. This function takes in a string and will find all reserved characters that HTML uses. Reserved characters are & < > and ". It will then replace these reserved characters with their HTML entity variant. Which are the following:
|---------------------|------------------|
| Character | Entity |
|---------------------|------------------|
| & | & |
|---------------------|------------------|
| < | < |
|---------------------|------------------|
| > | > |
|---------------------|------------------|
| " | " |
|---------------------|------------------|
For example, assume we have the following php statement:
$hello = "<b>Hello</b>";
Passed into blade as {{ $hello }} would yield the literal string you passed:
<b>Hello</b>
Under the hood, it would actually echo as <b>Hello<b>
If we wanted to bypass this and actually render it as a bold tag, we escape the htmlspecialchars() function by adding the escape syntax blade provides:
{!! $hello !!}
Note that we only use one curly brace.
The output of the above would yield:
Hello
We could also utilise another handy function that php provides, which is the html_entity_decode() function. This will convert HTML entities to their respected HTML characters. Think of it as the reverse of htmlspecialchars()
For example say we have the following php statement:
$hello = "<b> Hello <b>";
We could now add this function to our escaped blade statement:
{!! html_entity_decode($hello) !!}
This will take the HTML entity < and parse it as HTML code <, not just a string.
The same will apply with the greater than entity >
which would yield
Hello
The whole point of escaping in the first place is to avoid XSS attacks. So be very careful when using escape syntax, especially if users in your application are providing the HTML themselves, they could inject their own code as they please.
If you want to escape the data use
{{ $html }}
If don't want to escape the data use
{!! $html !!}
But till Laravel-4 you can use
{{ HTML::link('/auth/logout', 'Sign Out', array('class' => 'btn btn-default btn-flat')) }}
When comes to Laravel-5
{!! HTML::link('/auth/logout', 'Sign Out', array('class' => 'btn btn-default btn-flat')) !!}
You can also do this with the PHP function
{{ html_entity_decode($data) }}
go through the PHP document for the parameters of this function
By default, Blade
{{ }}statements are automatically sent through PHP'shtmlspecialcharsfunction to prevent XSS attacks. If you do not want your data to be escaped, you may use the following syntax:
According to the doc, you must do the following to render your html in your Blade files:
{!! $text !!}
Be very careful when echoing content that is supplied by users of your application. You should typically use the escaped, double curly brace syntax to prevent XSS attacks when displaying user supplied data.
Unbelievable, several identical and consequently wrong answers.
Laravel saves pure php code to Storage/fremework/view
Of course, if you have thousands of views, it will take a century to find the one you want, but open any one and see that where there were {{ $text }} now there are <?php echo $text; ?> then forget {{ $text }} and use <?php print($text); ?>, but it's still not a good idea, if strangers created the html, then let's create our criteria:
//Controller
<?php
$body = strip_tags($text, '<strong><span><p><b><small><pre><div><br><img><video><a><ul><li><ol><i><font><blockquote>');
return view('myview', compact('body'));
?>
//Blade
<iframe srcdocs="{{print($body)}}" sandbox></iframe>
or
<iframe srcdocs="{{$body}}" sandbox></iframe>
Allowed tags
<strong><span><p><b><small><pre><div><br><img><video><a><ul><li><ol><i><font><blockquote>
Yes, you can use some php functions in the blade syntax, although this is not documented correctly and you need to be careful too, since {{}} is the same as echo, so if you put something like print(), print_r or var_dump will work, but more complex things don't work, it literally doesn't replace <?php ?>
Why an iframe?
Note that this is not a common iframe, it has the sandbox attribute, while the strip_tags () function has removed the tags, the iframe will literally kill onclick (), onerro () and the like, isolating the code, however, a A pessimist will say that he can still use the address bar, in fact laravel already has an escape, but you can create middleware and list it in the middlewaregroup at app / http /kernel.php. So, you will have the opportunity to make sure that the requested url is eligible
Less painful alternative
As this article explains: https://kuztek.com/blog/use-laravel-purifier-securit you can use the HTMLPurifier, follow the procedure below
Install the package:
composer require mews/purifier
Generate the configuration file:
php artisan vendor:publish --provider="Mews\Purifier\PurifierServiceProvider"
Change 'HTML.Allowed' in config / purifier.php
'HTML.Allowed' => 'h1[class],h2[class],h3[class],h4[class],h5[class],div[class],b,strong[style|class],i[class],em,a[href|title|class],ul[style|class],ol[style|class],li[style|class],p[style|class],br,blockquote[class],span[style|class],img[width|height|alt|src|class]',
No further action is needed, just call it on the blade, replacing $body with the variable containing the html code
{{ clean($body) }}
{!! nl2br($post->description) !!}works for me if I have only spaces and br. – Muhammad Shahzad