Im trying to build a regex for template markup tags.
Right now the markups are something like this:
{{ account.name }}
{{ account.email }}
And this is the current Regex i build for it
/{{ [a-z_.]* }}/i
And now, i need to include markup tags with a certain modifier in this case the encoded option, which can be optional. So it would be something like:
{{ account.email|encoded }}
So the regex would be something like:
/{{ [a-z_.]*(|encode)? }}/i
But for some reason I can get it work.
Any ideas or comments on how to resolve this?
Related
I´m currently working on a code review of a friend and I found an XSS-Vulnerability I´d like to understand properly:
Lets say i I have a Variable foo.bar with the input <h1>test</h1>
I now figured out this pattern:
{{foo.bar}} -> no XSS
{% trans with { '%var%': foo.bar } %} My "%var%" {% endtrans %} -> XSS
{% trans with { '%var%': foo.bar | e('html') } %} My "%var%" {% endtrans %} -> no XSS
I thought I´ll run a Regex Pattern trough his whole code to find potential other places for bad encoding of HTML Character, but I did not quite understand when twig is encoding HTML tags and when not. I do understand the "e" (Encoding) function which decodes my variable value in html entities, but why is {{foo.bar}} encoding the characters while {% trans with ... is not?
I would search with this pattern for Coding mistakes in Twig:
Regex:
'\{%(.){0,2}[trans](.){0,2}[with].*'
-> Searching for "{%[space?]trans[space?] with"
as I guess everytime he missed the |e('html') there might be an issue. Am I on the right track? Do I miss something??
I hope i can find more clarification on this topic here :)
Twig always escapes but "trans with" is part of symfony and not twig. It is not autoescaped because it is passed to a tag, and the tag may output it but that is not a certainty so this is why they refuse to autoescape.
I personally always use the |trans() filter instead so by default you know you are safe, you can still ofcourse use |raw if needed.
https://symfony.com/doc/current/translation/templates.html
Using the translation tags or filters have the same effect, but with one subtle difference: automatic output escaping is only applied to translations using a filter. In other words, if you need to be sure that your translated message is not output escaped, you must apply the raw filter after the translation filter:
Hi we're using the Twig templating system within our site along with the twig i18n extension to handle our language translations.
As per the documentation, all of our template strings are wrapped in the trans block to be translated by the extension as shown below:
{% trans "Text to be <br>translated" %}
The issue is that within some of our template strings we have inline <br> tags for text formatting. In all the instances where these <br> tags exist, the strings don't translate and remain in English. Is there any way to 'escape' the <br> tags within a trans block, so that all the strings are read and translated properly?
You can run it through a nl2br filter as well as the trans filter:
{{ "Company Name\nAll Rights Reserved."|nl2br|t }}
I'm making a theme for Bolt (CMS) and it uses the Twig engine.
The website contains articles so I get an article's field like this {{ article.body }}
Now what I wanted to achieve was get the first letter of the body of the article and make it big and then display the rest of the article's body (without this first character) normally, you sometimes see this in books. I managed to do that and I successfully change the style of the first character.
However, using most functions that Twig offers in the documentation, I most often get a "<" as the first symbol as when typing the body of the article in the administration panel it automatically puts a <p> tag to the start.
Is there a way to overcome this?! I wouldn't want my client to have to delete the <p> tag every time. I thought there would be an easy way to get the body without any html in it or something else suitable for my use case.
The way it currently works beautifully:
<span class="firstcharacter">{{ article.body[:1] }}</span> {{ article.body[1:] }}</p>
but this relies on the article not starting with any html
There is a css pseudo-selector for first letter:
.firstcharacter::first-letter{font-size: 50px;}
Would this work for you?
You can use the striptags filter. As example:
{{ article.body| striptags [:1] }}
Here a working example
Hope this help
You shouldn't need to extract the first letter if you use CSS e.g.
Template:
<div class="dropcap">{{ article.body }}</div>
CSS:
div.dropcap p:first-of-type::first-letter {color: #f00;}
That will alter the first letter of the first paragraph.
I am having a problem by rendering some html stuff from a database table. I have a function that is calling and returning some html content from databse table, when i use {{ }} double curly braces it shows the content on page but as a plain text not rendered as html. After i try to use {!! !!} it does not show anything on page. i don't understand why and what's the solution in this case. My blade page contains the .blade extension as well.
Please advice.
$string = "<h1>Its H1 Tag</h1>";
{{ $string }}
Displaying Unescaped Data
By default, Blade {{ }} statements are automatically sent through PHP's htmlentities function to prevent XSS attacks. If you do not want your data to be escaped, you may use the following syntax:
Hello, {!! $name !!}.
if above not work then use below but not a good practice-
in your case you can use htmlentities($string), html_entity_decode($string) on your data and then use {{ $string }} to render html.
For Laravel Version 5.6.* or higher use single Curley Braces
$string = "<h1>Its H1 Tag</h1>;
{!! $string !!}
It can be displayed by the following code too if above code doesn't work.
#php
echo $string;
#endphp
In my Laravel app I allow users to store some text from a text area. When outputting the text I would like to escape the text retrieved from the DB, but also convert any line breaks from the text into <p> tags. I have a function nl2p() that works well for this, but it gets escaped when I place it inside the triple brackets defeating the purpose: {{{ nl2p($bio) }}}
I tried doing something like this:
<?php $formatted_bio = {{{ $user->bio }}}; ?>
<h2>{{ nl2p($formatted_bio) }}</h2>
but data can't be echoed into a variable like that. Any creative solutions out there I may have overlooked?
Try using the e() helper function Laravel provides. It is basically what Blade calls under the hood when you do the triple braces.
So you'd have:
<h2>{{ nl2p(e($user->bio)) }}</h2>