So i have a <textarea> in my form. User can either enter a new line or single line. So when the user views the text it will be showed like how he/she inputs it.
Form
<textarea name="jo_unit" class = 'form-control' required="required" cols = '4'></textarea>
Expected Output
TESTING 1 TESTING 2 TESTING 3
What i get
My code on displaying it
{{ nl2br(#$get['result'][0]->jo_unit_2) }}
Security: This code allows XSS attacks and is not production ready.
use {!! !!}:
{!! nl2br(#$get['result'][0]->jo_unit_2) !!}
Use
{!! nl2br(e(#$get['result'][0]->jo_unit_2)) !!}
{!! !!} creates an escaped output and allows HTML (and XSS attacks).
To make it secure again you also need to use e() see helpers documentation.
Related
I tried to show a variable this way on a blade template on laravel
<input type="text" name="win-phone" class="modal-input" value="{{ $info['fields']['phone'] }}">
and it doesn't work , but this way
<input type="text" name="win-phone" class="modal-input" value="{!! $info['fields']['phone'] !!}">
It worked, why? the first way its no the correct wat?
By default, Blade {{ }} statements are automatically sent through PHP's htmlspecialchars function to prevent XSS attacks. If you do not want your data to be escaped, you may use the following syntax:
Hello, {!! $name !!}.
In summary, if used in this way disabled HTML is allowed.
Source : https://laravel.com/docs/7.x/blade
There are two way to print your php variable in blade template.
1. Statements are automatically sent through PHP's htmlspecialchars function to prevent XSS attack
{{ $your_variable }}
2. If you do not want your data to be escaped, you may use the following syntax
{!! $your_variable !!}
I have created a form where an Admin can create text and also use objects as used in Blade. I want to store the text in a table and then display it in HTML with the objects working properly.
For example, I would have a form with this input in my view
<div class='form-group'>
<textarea placeholder="" name='comments' type='' rows='10' class='form-control' id='' value = '{{ old('comments') ?? $plansubmission->comments }}'>{{ $plansubmission->comments }}</textarea>
<div>{{ $errors->first('comments') }}</div>
</div>
In that form input, I have entered the following:
Dear Employee, {{ $plansubmission->id }}
This input validates and the input is sent to comments column in the proper table in my database.
Now, I want to return the comments column back into the view with all the spacing that was submitted into the input (therefore, I use the 'pre' tags):
<pre> {{ $plansubmission->comments}} </pre>
The plan text and spacing is maintained but the blade part simply comes out as {{ $plansubmission->id}} instead of what the actual property is.
It's a major security problem to let users submit blade templates to display data. Blade is compiled to PHP so you would be essentially allowing users to execute any PHP code they want. I would recommend you use something like mustache to let users inject variables into the output.
In the controller that passes the data to the view, you can pass the $plansubmission->comments through a mustache parser. This will treat the comments field as a template, and the second parameter sets the variables that the template has access to. This way you can explicitly set what the comment template has access to so you don't let users leak more data than is required.
$m = new Mustache_Engine;
$comments = $m->render($plansubmission->comments, $plansubmission->toArray());
Then users can put something like this in the comments field
Dear Employee, {{ id }}
Then in the view do
<pre> {{ $comments }} </pre>
and it will output
<pre> Dear Employee, 123 </pre>
I'm using I'm using laravel 5.5 and laravel collective to build my forms.
During validation, to manage errors and putting back the old values, I'm using this kind of code:
<div class="#if ($errors->has( $question->title )) has-error #endif">
{!! Form::label($question->title, $question->title) !!}
{!! Form::text($question->title, null, ['class' => 'form-control']) !!}
#if ($errors->has($question->title)) <p class="help-block">{{ $errors->first($question->title) }}</p> #endif
</div>
And everything is working well. But I'm facing a problem where my name attributes contains white spaces.
When the page is displayed my name attributes are well writen with white space by example Are you happy?
But the validation return error mentioning Are_you_happy? so the old values are not putted back and the errors messages are not displayed due to the _.
I was thinking of using regex to "sanitize" the values in my forms but the error message will still be The Are_you_happy? field is required. So not that good.
Is there any tricks or better ways to proceed?
Or is it just a bad practice to have whitespace?
More info
This also happen with the dot character ., it's is replaced by an _ during validation.
It's bad practice to use white space,but it's not an error.
you can work around your problem changing the output of the error messages.
From the documentation
Specifying Custom Attributes In Language Files
If you would like the :attribute portion of your validation message to be replaced with a custom attribute name, you may specify the custom name in the attributes array of your resources/lang/xx/validation.php language file:
'attributes' => [
'email' => 'email address',
],
in your case
'attributes' => [
'Are_you_happy' => 'are you happy',
],
I have a variable $country_code that is displaying the correct value in one part of my form but not in a different part. Why is this happening?
This is my code:
{{ Form::open(['action' => ['PinVerificationController#valid'],'id'=>'pin_code_form']) }}
//$country_code shows 1
We sent a text message to {{$country_code}} {{$phone_number}}. You should receive it within a few seconds.<br><br>
{{ Form::label('Pin Code', null, ['class' => 'control-label']) }}
{{ Form::hidden('country_code', $country_code) }}//<------shows 1-US instead of 1
{{ Form::hidden('phone_number', $phone_number) }}
{{ Form::hidden('type', $pin_notification_type) }}
{{ Form::text('pin_code', null,['placeholder' => 'Pin Code'])}}<br><br>
Enter a 4 digit pin you received by phone.
<br>
<br>
{{ Form::submit('Verify',['name'=>'validate'])}}
{{ Form::close() }}
So if I set $country_code to "1" in my controller it'll display We sent a text message to 1 5555555. You should receive it within a few seconds.
But if I do an inspect element on my hidden form it displays 1-US. I've tried php artisan view:clear and php artisan clear-compiled but the problem still persists.
I've also tried hardcoding a value {{ Form::hidden('country_code', 'asdf') }} and i'm not seeing the change. I tried adding a test {{ Form::hidden('country_code1', 'asdf') }} and see the update.
I also renamed country_code to country_code111 for my hidden field and it displayed the correct value of 1. I thought it was a caching issue but like I mentioned I've tried php artisan cache:clear and the problem is still there.
Since you are using Laravel 5.4, I assume you are using Form from the LaravelCollective, since they were removed from baseline Laravel in 5.x.
LaravelCollective Forms will override the value you provide to the input if it exists in the request data, or in old posted data (the old() function). I suspect this is the case for you.
You can see this behavior implementation here.
To solve this problem, you have a few options:
change the name of the request parameter feeding into the page (if you have control over it)
rename your field name to something that doesn't conflict
Don't use Form:: to generate the form and just use classic html/Blade to create the hidden input automatically
Personally, I would recommend #3 because then you have full control over your code.
<input type="hidden" name="country_code" value="{{ $country_code }}"/>
Right now I'm rendering two forms ( one for company and one for it's tags ) and it looks like this:
<h3>Company</h3>
{{ form_start(form) }}
{{ form_row(form.name) }}
{{ form_row(form.city) }}
{{ form_row(form.street) }}
{{ form_row(form.postalcode) }}
{{ form_row(form.buildingnumber) }}
{{ form_row(form.vatid) }}
{{ form_row(form.tags) }}
<button id="test">Test</button>
{{ form_row(tags_form.title) }}
{{ form_row(form.save) }}
{{ form_end(form) }}
I want users to be able to add another input ( after clicking test button ) {{ form_row(form.tags) }} so they can add multiple tags with one form, but right now my tags form looks like this:
$builder
->add('title',null,array(
'label' => 'tag.title',
'required' => false
));
and I don't really know how to set this up. I tried with the simplest solution:
$('#test').on('click',function(e) {
e.preventDefault();
$('#fourcreate_portalbundle_companytags_title').clone().appendTo('form');
});
but that way submitting form creates entity only from the second input.
EDIT: I forgot to add - it has to be done with two forms, because first form contains list of currently available tags and the second form is to let users add their own.
You should not use two forms, but have a collection of tags_form in form.tags. The sample in the Cookbook is about adding tags.
The browser sends a "clobbered" form where two or more name attribute of two or more input elements have the same value. Hence, the back-end gets only the last value. I can not be more specific because I am not familiar with that part of Symfony.
If you wish to clone input elements, and have their values submitted correctly, you must at least modify the name attributes before submitting the form. Also, watch out for non-unique id attributes, as that violates the HTML (DOM?) standard.
e.g
var clone = $('input[id="original"]').clone();
clone.attr('name', clone.attr('name') + '1');