Laravel validation doesn't validate html entities - php
I'm working with Laravel 5.5 and I'm trying to make validation of a form which shouldn't pass if user write html entities, for example: <h1>Hola</h1>, <script>alert(1)</script>.
But it insert all field in DB.
My controller:
protected function storeForm(CaseRequest $request){
try {
$supportCase = new SupportCase;
$supportCase->type = $request->input('type');
// all fields of table[...]
$supportCase->save();
return view('steps/finish/success')->with(['message' => 'Form success']);
} catch (Exception $e) {
echo $e->getMessage();
return view('steps/finish/error')->withErrors(['message' => 'Form error']);
}
}
My CaseRequest is this:
/**
* Determine if the user is authorized to make this request.
*
* #return bool
*/
public function authorize()
{
return true;
}
/**
* Get the validation rules that apply to the request.
*
* #return array
*/
public function rules()
{
return [
'type' => 'required|min:3|max:3|string',
'brand' => 'required|string',
'product' => 'required|string',
'order' => 'required|string',
'description' => 'required|min:10|string',
'sn' => 'nullable',
'name' => 'required|min:2|string',
'nin' => 'required|min:9|max:11|alpha_dash',
'email' => 'required|email',
'phone' => 'required|digits_between:7,12',
'address' => 'required|min:5|string',
'city' => 'required|min:2|string',
'zip' => 'required|min:2|numeric',
'state' => 'required|min:2|string',
'country' => 'required|min:2|string',
];
}
I have read the documentation and the Request is the first to be called, before than controller, and if this has any error it throw a error message. Doesn't it?.
I'm using parsley and select2, at first it has a validation in frontend with parley, and it's working well, but if I remove parsley validation now Laravel should validate it, right? but in my DB it is saving all fields (included<script>alert(1)</script>).
<div class="form" id="main-form" data-parsley-validate="data-parsley-validate">
{!! Form::open(['id' => 'main-form', 'data-parsley-validate' => 'data-parsley-validate']) !!}
<div class="col-md-7 light-form">
<fieldset>
{!! Form::label('contact', trans('frontend/steps.form.contact'), ['class' => 'upper']) !!}
{!! Form::label('name', trans('frontend/steps.form.name')) !!}
{!! Form::text('name', old('name'), [
'data-parsley-pattern' => '[ÁÉÍÓÚáéíóúa-zA-Z ]+$',
'data-parsley-required' => 'true',
'data-parsley-minlength'=>'2',
'data-parsley-required-message' => trans('frontend/steps.form-errors.name'),
'data-parsley-minlength-message' => trans('frontend/steps.form-errors.name'),
'data-parsley-pattern-message' => trans('frontend/steps.form-errors.name'),
]) !!}
</fieldset>
<fieldset>
{!! Form::label('nin', trans('frontend/steps.form.in')) !!}
{!! Form::text('nin', old('nin'), [
'data-parsley-type'=>'alphanum',
'data-parsley-required' => 'true',
'data-parsley-minlength'=>'9',
'data-parsley-maxlength'=>'11',
'data-parsley-required-message' => trans('frontend/steps.form-errors.in'),
'data-parsley-minlength-message' => trans('frontend/steps.form-errors.in'),
'data-parsley-maxlength-message' => trans('frontend/steps.form-errors.in')
]) !!}
</fieldset>
<fieldset>
{!! Form::label('phone', trans('frontend/steps.form.telf')) !!}
{!! Form::text('phone', old('phone'), [
'data-parsley-pattern' => '\d+$',
'data-parsley-required' => 'true',
'data-parsley-minlength'=>'7',
'data-parsley-maxlength'=>'12',
'data-parsley-required-message' => trans('frontend/steps.form-errors.telf'),
'data-parsley-minlength-message' => trans('frontend/steps.form-errors.telf'),
'data-parsley-maxlength-message' => trans('frontend/steps.form-errors.telf'),
'data-parsley-pattern-message' => trans('frontend/steps.form-errors.telf')
]) !!}
</fieldset>
<fieldset>
{!! Form::label('address', trans('frontend/steps.form.address')) !!}
{!! Form::text('address', old('address'), [
'data-parsley-pattern' => '^[ÁÉÍÓÚáéíóúa-zA-Z0-9-_ ]+$',
'data-parsley-required' => 'true',
'data-parsley-minlength'=>'5',
'data-parsley-pattern-message' => trans('frontend/steps.form-errors.address'),
'data-parsley-minlength-message' => trans('frontend/steps.form-errors.address'),
'data-parsley-required-message' => trans('frontend/steps.form-errors.address'),
]) !!}
</fieldset>
<div class="col-md-12 no-padding">
<div class="col-md-6 location-form">
<fieldset>
{!! Form::label('address', trans('frontend/steps.form.city')) !!}
{!! Form::text('city', old('city'), [
'data-parsley-required' => 'true',
'data-parsley-minlength'=>'2',
'data-parsley-pattern' => '[ÁÉÍÓÚáéíóúa-zA-Z ]+$',
'data-parsley-minlength-message' => trans('frontend/steps.form-errors.city'),
'data-parsley-required-message' => trans('frontend/steps.form-errors.city'),
'data-parsley-pattern-message' => trans('frontend/steps.form-errors.city'),
]) !!}
</fieldset>
<fieldset>
{!! Form::label('zip', trans('frontend/steps.form.zip')) !!}
{!! Form::text('zip', old('zip'), [
'data-parsley-required' => 'true',
'data-parsley-minlength'=>'2',
'data-parsley-minlength-message' => trans('frontend/steps.form-errors.zip'),
'data-parsley-required-message' => trans('frontend/steps.form-errors.zip')
]) !!}
</fieldset>
</div>
<div class="col-md-6 no-padding">
<fieldset>
{!! Form::label('state', trans('frontend/steps.form.state')) !!}
{!! Form::text('state', old('state'), [
'data-parsley-pattern' => '[ÁÉÍÓÚáéíóúa-zA-Z ]+$',
'data-parsley-required' => 'true',
'data-parsley-minlength'=>'2',
'data-parsley-required-message' => trans('frontend/steps.form-errors.state'),
'data-parsley-minlength-message' => trans('frontend/steps.form-errors.state'),
'data-parsley-pattern-message' => trans('frontend/steps.form-errors.state'),
]) !!}
</fieldset>
<fieldset>
{!! Form::label('country', trans('frontend/steps.form.country')) !!}
{!! Form::text('country', old('country'), [
'data-parsley-required' => 'true',
'data-parsley-pattern' => '[ÁÉÍÓÚáéíóúa-zA-Z ]+$',
'data-parsley-minlength'=>'2',
'data-parsley-required-message' => trans('frontend/steps.form-errors.country'),
'data-parsley-minlength-message' => trans('frontend/steps.form-errors.country'),
'data-parsley-pattern-message' => trans('frontend/steps.form-errors.country'),
]) !!}
</fieldset>
</div>
</div>
</div>
<div class="col-md-5 dark-form">
<fieldset>
{!! Form::label('order', trans('frontend/steps.form.order'), ['class' => 'upper']) !!}
{!! Form::text('order', old('order'), [
'placeholder' => '123567',
'data-parsley-type' => 'digits',
'data-parsley-type-message' => trans('frontend/steps.form-errors.order_format'),
'data-parsley-required' => 'true',
'data-parsley-required-message' => trans('frontend/steps.form-errors.order')
]) !!}
<span class="loading style-2"></span>
</fieldset>
<fieldset id="brand-wrap">
<label class="upper" for="brand">
{!! trans('frontend/steps.form.brand') !!}
<img class="tip" title="{!! trans('frontend/steps.form.brand_tooltip') !!}"
src="{!! asset('assets/img/frontend/icons/info.png') !!}"/>
</label>
{!! Form::select('brand', $layout->brands->pluck('name', 'id'), old('brand'), [
'id'=> 'brand',
'class' => 'select2',
'data-parsley-required' => 'true',
'data-parsley-required-message' => trans('frontend/steps.form-errors.brand')
])
!!}
<span class="loading style-2"></span>
</fieldset>
<fieldset id="product-wrap">
{!! Form::label('product', trans('frontend/steps.form.product'), ['class' => 'upper']) !!}
{!! Form::select('product', ['null' => 'null'], old('product'), [
'id'=> 'product_select',
'class' => 'select2',
'data-parsley-required' => 'true',
'data-parsley-required-message' => trans('frontend/steps.form-errors.product')
])
!!}
</fieldset>
<fieldset>
{!! Form::label('description', trans('frontend/steps.form.problem'), ['class' => 'upper']) !!}
{!! Form::textarea('description', old('description'), [
'data-parsley-pattern' => '[áéíóúÁÉÍÓÚäëïöüÄËÏÖÜa-zA-Z0-9-_ ]+$',
'data-parsley-minlength'=>'10',
'data-parsley-required' => 'true',
'data-parsley-type-message' => trans('frontend/steps.form-errors.problem'),
'data-parsley-required-message' => trans('frontend/steps.form-errors.problem'),
'data-parsley-minlength-message' => trans('frontend/steps.form-errors.problem'),
'data-parsley-pattern-message' => trans('frontend/steps.form-errors.problem')
]) !!}
</fieldset>
<fieldset id="serial-wrap">
{!! Form::label('sn', trans('frontend/steps.form.serial')) !!}
{!! Form::text('sn', old('sn'), [
'id' => 'sn',
'data-parsley-required' => 'false',
'data-parsley-required-message' => trans('frontend/steps.form-errors.imei'),
'data-parsley-lunhvalidator' => '15',
'data-parsley-lunhvalidator-message' => trans('frontend/steps.form-errors.invalid-imei')
])
!!}
</fieldset>
<fieldset>
{!! Form::label('email', trans('frontend/steps.form.email')) !!}
{!! Form::email('email', old('email'), [
'data-parsley-type'=> 'email',
'data-parsley-required' => 'true',
'data-parsley-type-message' => trans('frontend/steps.form-errors.email'),
'data-parsley-required-message' => trans('frontend/steps.form-errors.email')
]) !!}
</fieldset>
#if($case == "INC")
<button class="upper" type="button" onclick="nextStep(this)" data-type="FORM" data-field="transaction"
data-next="eleventh" data-case="{!! $case !!}"
data-value="">{!! trans('frontend/steps.form.continue') !!}</button>
#else
<button class="upper" type="button" onclick="nextStep(this)" data-type="FORM" data-field="transaction"
data-next="fifth" data-case="{!! $case !!}"
data-value="">{!! trans('frontend/steps.form.continue') !!}</button>
#endif
</div>
{!! Form::close() !!}
</div>
Validation doesn't change input data. It just ensures the input matches your defined rules.
Technically there is no need to remove HTML tags. They won't do any harm in the database and can be escaped when outputting with {{ $content }}.
If you don't want to save HTML in your database use strip_tags() on the relevant fields.
But don't rely on it to prevent XSS, escaping output is still necessary
Related
Two forms same page - one returns null the other works
When I run $value = $request->session()->all(); Controller one gives the value 'product' as null. The second gives the right product id. They are on the same page. Both are forms within bootstrap modals. Why are they giving different session data? Stumped.
the form is submitted from a product page -> the id i want isnt submitted from the form -> the id is from the product page
Controller One
{!! Form::open(['action' => 'ControllerOne#store', 'method' => 'POST', 'enctype' => 'multipart/form-data']) !!}
{{Form::label('time', 'Select a Time')}}
{{Form::time('time', '', ['class' => 'form-control', 'placeholder' => 'Time'])}}
{{Form::label('date', 'Select a Date')}}
{{Form::text('date', '', ['class' => 'form-control', 'placeholder' => 'Date'])}}
<div class="modal-footer">
{{Form::submit('Add', ['class'=>'btn btn-primary'])}}
{!! Form::close() !!}
Controller Two
{!! Form::open(['action' => 'ControllerTwo#store', 'method' => 'POST', 'enctype' => 'multipart/form-data']) !!}
{{Form::label('listing', 'Price (NZD)')}}
{{Form::text('price', '', ['class' => 'form-control', 'placeholder' => 'Price'])}}
{{Form::label('listing', 'Name')}}
{{Form::text('name', '', ['class' => 'form-control', 'placeholder' => 'Name'])}}
{{Form::label('listing', 'Phone Number')}}
{{Form::number('phone_number', '', ['class' => 'form-control', 'placeholder' => 'Phone Number'])}}
{{Form::label('listing', 'Comments/Conditions')}}
{{Form::textarea('conditions', '', ['class' => 'form-control', 'placeholder' => 'Comments/Conditions'])}}
{{Form::submit('Submit', ['class'=>'btn btn-success'])}}
{!! Form::close() !!}
Multi option filter from selection in laravel
I have a search form to filter out accounts to show their transactions using relations. I have it working to filter a single account. I need to create the filter multiple accounts together. Here is my code for filtering a single selection since I am ne to Laravel< I am getting stuck. Thanks in advance.
public $relations = [];
public function account($account)
{
return $this->where('account_id', $account);
} }
This is my form:-
{!! Form::open(['url' => 'incomes/revenues', 'role' => 'form', 'method' => 'GET']) !!}
<div class="pull-left">
<span class="title-filter hidden-xs">{{ trans('general.search') }}:</span>
<!--{!! Form::text('search', request('search'), ['class' => 'form-control input-filter input-sm', 'placeholder' => trans('general.search_placeholder')]) !!}-->
{!! Form::text('start', request('start'), ['class' => 'form-control input-filter input-sm', 'placeholder' => trans('general.date_placeholder')]) !!}
{!! Form::text('end', request('end'), ['class' => 'form-control input-filter input-sm', 'placeholder' => trans('general.date_placeholder')]) !!}
{!! Form::select('customer', $customers, request('customer'), ['class' => 'form-control input-filter input-sm']) !!}
{!! Form::select('category', $categories, request('category'), ['class' => 'form-control input-filter input-sm']) !!}
{!! Form::select('account', $accounts, request('account'), ['multiple' => 'true','class' => 'form-control input-filter input-sm']) !!}
{!! Form::button('<span class="fa fa-filter"></span> ' . trans('general.filter'), ['type' => 'submit', 'class' => 'btn btn-sm btn-default btn-filter']) !!}
controller
public function index()
{
$revenues = Revenue::with(['account', 'category', 'customer'])->isNotTransfer()->collect(['paid_at'=> 'desc']);
$customers = collect(Customer::enabled()->pluck('name', 'id'))
->prepend(trans('general.all_type', ['type' => trans_choice('general.customers', 2)]), '');
$categories = collect(Category::enabled()->type('income')->pluck('name', 'id'))
->prepend(trans('general.all_type', ['type' => trans_choice('general.categories', 2)]), '');
$accounts = collect(Account::enabled()->pluck('name', 'id'))
->prepend(trans('general.all_type', ['type' => trans_choice('general.accounts', 2)]), '');
$transfer_cat_id = Category::transfer();
return view('incomes.revenues.index', compact('revenues', 'customers', 'categories', 'accounts', 'transfer_cat_id'));
}
How to add dropdown-list inside the PHP code?
I have attached the code below, from which i need to know how can i add drop-down in it.
<div class="form-group">
<label class="control-label">Student/Staff</label>
{!! Form::input('text', 'student_staff', null, array('id' => 'student_staff', 'class' => 'input-lg form-control TabOnEnter', 'placeholder' => 'student_staff', 'tabindex' => 20)) !!}
</div>
{!! Form::select('student_staff', ['student' => 'Student','staff' => 'Staff'], null, array('id' => 'student_staff', 'class' => 'input-lg form-control TabOnEnter', 'placeholder' => 'student_staff', 'tabindex' => 20)) !!}
This works for me..
Laravel Collective HTML5 attributes
How do I pass in an HTML5 attributes like: required, auto focus...? I can enter other attributes which have name="value", but not an attribute that consist of only one word.
Pass the array with values as third (for select as fourth) parameter:
{!! Form:: text('name', null, ['required' => true, 'some-param' => 'itsValue', 'class' => 'some-class' ]) !!}
Here are some examples:
{!! Form::label('title', 'Title') !!}
{!! Form::text('title', null, ['class' => 'form-control', 'placeholder' => 'Interview']) !!}
{!! Form::textarea('description', null, [ 'size' => '1x3', 'class' => 'form-control', 'placeholder' => 'Something']) !!}
{!! Form::select('timeOption', [null => 'Please Select', '1' => 'N/A', '2' => 'Instructor', '3' => 'Student'], null, ['required' => true]) !!}
{!! Form::date('task_date', Carbon\Carbon::now(), ['class' => 'form-control']) !!}
{!! Form::time('task_time', Carbon\Carbon::now()->format('H:i'), ['class' => 'form-control']) !!}
{!! Form::number('lat', null, ['class' => 'form-control', 'step' => 'any', 'placeholder' => '41.3770401']) !!}
{!! Form::submit('Add', ['class' => 'btn btn-success']) !!}
Laravel 5.2 ajax update issue
I simply cannot get this to work.
What am i doing wrong here? Thanks! :-)
The validator returns fields are requiered, and i cannot seem to access any of the data.
Controller:
public function updateGlobalData(Request $request){
$validator = Validator::make($request->all(), [
'company_name' => 'required',
'adress' => 'required',
'city' => 'required',
'zip' => 'required',
'country' => 'required',
'cvr' => 'required',
'email' => 'required|email',
'phone' => 'required'
]);
$errors = $validator->errors();
if ($validator->fails()) {
return response()->json([
'success' => false,
'message' => $errors
], 422);
}
$globalData = GlobalData::find($request->id)->update($request->all());
$response = [
'status' => 'success',
'msg' => 'Hotel created successfully'
];
// Session::flash('success', trans('Global data was updated'));
return \Response::json( $response );
}
Route:
Route::post('admin/site-settings/global-data/update', ['as' => 'admin/global-data-update', 'uses' => 'admin\GlobalDatasController#updateGlobalData']);
Model:
class GlobalData extends Model
{
protected $fillable = ['company_name', 'address', 'city', 'zip', 'country', 'cvr', 'email', 'phone', 'logo' ];
}
Ajax:
function update () {
var url = '{{route('admin/global-data-update')}}';
var part = '{{ $globalData->part }}';
var data = $("#update_form").serialize();
var jqxhr = $.post(url, {
data: data,
part: part
},
function() {
})
.done(function() {
var json_response = jqxhr.responseText;
if(json_response) {
load_data('{{route('admin/global-data-edit')}}', '{{ $globalData->part }}');
} else {
console.log("Error");
}
})
}
And my form:
{!! Form::model($globalData, ['id' => 'update_form']) !!}
<div class="form-group">
{!! Form::text('company_name', null, array('class' => 'form-control', 'placeholder' => trans('Company name'))) !!}
</div>
<div class="form-group">
{!! Form::text('address', null, array('class' => 'form-control', 'placeholder' => trans('Address'))) !!}
</div>
<div class="form-group">
{!! Form::text('city', null, array('class' => 'form-control', 'placeholder' => trans('city'))) !!}
</div>
<div class="form-group">
{!! Form::text('zip', null, array('class' => 'form-control', 'placeholder' => trans('zip'))) !!}
</div>
<div class="form-group">
{!! Form::text('country', null, array('class' => 'form-control', 'placeholder' => trans('country'))) !!}
</div>
<div class="form-group">
{!! Form::text('cvr', null, array('class' => 'form-control', 'placeholder' => trans('cvr'))) !!}
</div>
<div class="form-group">
{!! Form::text('email', null, array('class' => 'form-control', 'placeholder' => trans('email'))) !!}
</div>
<div class="form-group">
{!! Form::text('phone', null, array('class' => 'form-control', 'placeholder' => trans('phone'))) !!}
</div>
<div class="form-group">
{{ Form::hidden('id') }}
</div>
{!! Form::button(trans('Save changes'), ['class' => 'pull-right btn btn-success save', 'id' => 'save' ]) !!}
{!! Form::close() !!}
I really would love some help, thank you for your time! :-)
Mistake at address word $validator = Validator::make($request->all(), [ 'company_name' => 'required', 'adress' => 'required', 'city' => 'required', 'zip' => 'required', 'country' => 'required', 'cvr' => 'required', 'email' => 'required|email', 'phone' => 'required' ]);