I'm using PHP Laravel framework and I came to some code examples where {{ }} is use inside a html code, like this:
<link rel="stylesheet" href=" {{ URL::to('css/app.css') }} ">
My conclusion is that the {{ }} are used to write no-HTML code inside the HTML, is that correct?
And for what is the { } used?
Thanks for your answer.
There is no { } in Blade, {{ }} displays escaped data and {!! !!} displays unescaped data.
By default, Blade {{ }} statements are automatically sent through
PHP's htmlentities function to prevent XSS attacks. If you do not want
your data to be escaped, you may use the following syntax:
Hello, {!! $name !!}.
https://laravel.com/docs/5.3/blade#displaying-data
That is not php but rather syntax for the blade template system that laravel comes bundeled with.
In short, {{$aPhpVariable}} is basically compiled to <?= htmlentities($aPhpVariable) ?> (or even <?php echo htmlentities($aPhpVariable); ?>), but from what I know, there is no single bracket ({}) syntax.
You can also use normal php code inside blade templates or just treat it as a normal html page, but it does have a bunch of things that makes building the views a lot easier.
Go check out the docs for more info about blade!
To escape data use
{{ $data }}
If you don't want the data to be escaped use :
{!! $data !!}
{} is part of the syntax of PHP code. It's used in functions, blocks of code and objects.
{{ }} it part of Laravel's Blade template syntax, echoing something in a Laravel project.
Related
I have some html buttons I want to render with twig. This is the HTML:
<button class="btn btn-primary">Edit worklog</button>
I created a method in php to return the HTML string above which I pass in with twig like this:
{{ html.editWorklogButton|raw }}
But when the button is rendered with raw it also renders {{ worklog.id }} and {{ worklog.customerid }} raw of course, losing the id's, giving me href to:
localhost/Worklog/editWorklog?worklogid={{worklog.id}}&customerid={{worklog.customerid}}
which instead should be something like:
localhost/Worklog/editWorklog?worklogid=1&customerid=2
I've checked twig documentation, but can't find anything on this. Is this simply not possible to do?
You may use the template_from_string extension.
The template_from_string function loads a template from a string.
In your case, it should be something like this:
{{ include(template_from_string(html.editWorklogButton)) }}
Code
We have the following Twig HTML template:
<div id="error">{{ flash.error | raw }}</div>
and we flash messages in multiple places, e.g.:
$app->flash('error', "Some error with this $user_supplied string.");
$app->flash('error', "Hello, <b>World</b>!");
Question
This is obviously a security concern, $user_supplied could include javascript. I would like to replace {{ flash.error | raw }} with {{ flash.error }}, while still allowing HTML in some cases.
What I would like to have:
<div id="error">{{ flash.error }}</div>
----
$app->flash('error', "Some error with this $user_supplied string.");
$app->flash('error', HTML("Hello, <b>World</b>!"));
That way all developers realize the dangers. I can probably hack this together, but is there maybe already a built-in way or a better alternative?
Hm, Perhaps you can check the contents of the variable in the PHP code before you pass it to the template. Then use some of PHP's built in string parsing functions to check the variable for the existence of certain tags.
If (for example) script tags are found, you could set the variable to null or false and then handle that value in your template.
Another way I can think of is to use the striptags filter. You define your allowed tags and what isn't defined will be removed. This way you can output what you want and only keep your allowed tags.
https://twig.symfony.com/doc/2.x/filters/striptags.html
{% set some_var = '<b><script>console.log(123)</script></b>' %}
<div id="error">{{ some_var|striptags('<b><strong>')|raw }}</div>
You can use escape twig variable for specific needs.
{{ flash.error|escape('js') }}
The escape filter supports the following escaping strategies:
html, js, css, url, html_attr
You can do this in your twig configuration, without knowing much about your project I am going to assume you are using Twig View. At the point of configuring Twig View for your Slim project you can do the following:
$view = new \Slim\Views\Twig('path/to/templates', [
'cache' => 'path/to/cache',
'autoescape' => 'js'
]);
That should have it configured globally for JS only escaping. I have not tested this so I am not sure if it works.
I dont have knowledge in laravel Blade and I have this code :
<span v-bind:class="{ 'total': (listing.price_per_week), 'total total-center': (!listing.price_per_week)}">#{{ listing.price_view }}*</span>
I want to pass that price value to this function
<?php echo removeFrom( #{{ listing.price_view }} ); ?>
but it doesnt work this way
how can pass this
Thanks
Please check this out: Blade & JavaScript Frameworks
Since many JavaScript frameworks also use "curly" braces to indicate a
given expression should be displayed in the browser, you may use the #
symbol to inform the Blade rendering engine an expression should
remain untouched. For example:
<h1>Laravel</h1>
Hello, #{{ name }}.
In this example, the # symbol will be removed by Blade; however, {{
name }} expression will remain untouched by the Blade engine, allowing
it to instead be rendered by your JavaScript framework.
I stumbled upon this problem. I am using twitter bootstrap. I generate form elements like this:
{{ Form::button('Save', array('class'=>'btn btn-success')) }}
This is alright. But when I want to put an icon before the 'Save' like this,
{{ Form::button('<i class="icon-ok"></i> Save', array('class'=>;'btn btn-success')) }}
The <i> tag is not interpreted as it should be.Is there any workaround on this? How do I do this?
Any Body Give Some Idea
Thanks in advance.
You can use the HTML::decode method to wrap your button.
Example:
{{ HTML::decode(Form::button('<i class="icon-ok"></i> Save', array('class'=>;'btn btn-success'))) }}
HTML::decode converts entities to HTML characters according to laravel's api, found here:
laravel api
What version of Laravel are you using?
In Laravel 5, Blade has changed so that {{ }} is escaped by default (therefore not rendered as HTML by the browser) and you should use {!! !!} instead.
I am really new to Laravel as well as PHP.
I have some PHP code that I want to put it in Laravel.
But when I check the .blade files there are no PHP codes contained in them.
So, my question is: When can I put my PHP code in a Laravel application.
The PHP code relates to single.blade.
Thank you for your guidance.
Blade is the Laravel template, you should not put your code inside the blade file, it is not a good practice (not recommended), just things you are going to show on the final page.
You should put your code inside the controller.
So if you want to pass things to Blade you should do like:
View::make('single', array('var1' => $var1, 'var2' => $var2));
Everything between {{ }} is tranformed to an echo by Blade, so you can use any PHP code like this {{ date('d/m/y') }} on your Blade files.
So with this example above you should do {{ $var1 }} on your Blade file.
But with Blade you have flow control:
If-else:
#if ($var1 == $var2)
<p> equal </p>
#else
<p> not equal </p>
#endif
For-each:
#foreach($vars as $var)
<p>{{ $var }}</p>
#endforeach
For:
#for($i=0 ; $i<999 ; $i++)
<p>Number: {{ $i }}</p>
#endfor
While:
#while(isTrue($var))
<p>Loop forever</p>
#endwhile
Unless:
#unless(isRunning())
<p>keep</p>
#endunless
With this you can control what is printed on screen and you can use Laravel code like this (this code is adding an HTML class if the current route is equal to 'getFoo' to the element LI):
<li #if(URL::current() == URL::route('getFoo'))class="active"#endif>
This is a good start on how to use Blade. http://laravel.com/docs/templates