I was digging through laravel and I went through how the blade views are interpreted and what I came across was that:
This:
{{ $tenant->name }}
Translates to this:
<?php echo e($tenant->name); ?>
I don't understand what the e() method is for? I could not find it on the php.net too so I am guessing it is a part of laravel 5 itself. But what does it do?
from the docs:
e()
The e function runs htmlentities over the given string:
echo e('<html>foo</html>');
// <html>foo</html>
http://laravel.com/docs/5.1/helpers#method-e
say your going to print some data from the database on a web page, or going to put in to the database as a input like,
{{ $tenant->name }}
and think value of $tenant->name is something like
<script>
alert("Errors....");
</script>
after rendering this in the browser you will get an alert. This is an security issue so we need to avoid from rendering those content and we don't need these kind of data in out database.
so we need to sanitize those data
to do that laravel provides some options
HTML::entities($tenant->name);
and e() is and helper function to HTML::entities
and you can get the same behavior by using
e($tenant->name);
if $tenant->name is <script>alert("Errors....");</script> then after applying to e() you will get something below,
"<script>
alert("Errors....");
</script>"
this is no longer process as a script
here is a good recipe
OR there is a easy way to do this
use triple curly braces {{{ }}} instead of double braces {{ }} this will also sanitize the content.
Related
I have a problem to insert a redirect link into a message in a redirect laravel command.
This is what I woould to have:
return redirect('validation')->with('warning','to correct mistake, click here');
and after click on the here, I have to load another page with the url mapped on here.
Something like this, but this solution not work:
return redirect('validation')->with('warning','to correct mistake, click here');
I think you using the this in you view to show the warning.
{{ session('warning') }}
You need to use these brackets in your view to show the warning and to allow the html to be processed by the browser.
{!! session('warning') !!}
These brackets {{ }} escape html tags and will render html as plain text to prevent XSS attacks.
If you want to inject html from the backend you must use {!! $html !!} which will render the html as html.
You can checkout the Displaying Date -- Laravel Docs for a better explanation.
I have a strange issue at the moment, and I'm looking for any insight on how to deal with this.
I'm currently accepting HTML input using the Basecamp Trix editor.
When I send the input to my Laravel application, it is saved to my database as:
<div><script>alert('test');</script></div>
However, the problem is that when I insert this into a Vue property using Laravel's blade, it somehow actually converts it back into valid HTML:
<reply :data-reply="{{ $reply }}"></reply>
Result:
It seems that Laravel converts the script tags to valid HTML using the blade echo statements?
My View:
{{ $reply }}
Result:
{"id":63,"created_at":"2017-09-07 13:30:53","updated_at":"2017-09-07 13:35:05","user_id":1,"body":"<div><script>alert('test');<\/script><\/div>","options":null}
The problem is, I can't sanitize this because the HTML data is actually escaped in my database, but when Laravel converts my reply to JSON, it actually unescapes the script tags, and it's actually ran in Vue when using the v-html directive.
I know I'm not supposed to accept user input while using the v-html directive, but I need HTML support for replies, and I can't sanitize already escaped HTML in my Laravel application.
Does anyone have any ideas how I can go about sanitizing Trix's content in some way?
Ok, I've put
<div><script>alert('test');</script></div>
into email field of user.
In Laravel I'm just using:
return view('welcome', ['user' => App\User::find(1)]);
nothing special in model.
My view looks like this:
<!DOCTYPE html>
<html>
<head>
</head>
<body>
<div id="el">{{ $user }}</div>
<script>
user = JSON.parse(document.getElementById("el").innerHTML);
console.log(user.name);
</script>
</body>
</html>
and in JS console I'm getting:
<div><script>alert('test');</script></div>
so it's not the same as in database but it doesn't look as you showed either.
So, I've been working on a website for a reggae backing band and on the 'booking' page I have a form. After submitting the form I first (ofcourse) check if all required fields are filled in, if something else went wrong or if it succeeded.
But, I have a couple of language files (nl, de, fr and en). On the HTML page I first check if an error was set inside the PHP and if there is an error, I want to output it in the right language.
So in case of an error, the HTML would have to look like this
{{ lang.booking.{{ form_error }} }}
because I am sending the error type in the PHP as well, but this doesn't seem to be possible (obviously).
Can someone help me out or tell me how to get around this problem?
Thanks in advance!
You can use the attribute function to access a dynamic attribute of a variable.
{{ attribute(lang.booking, form_error) }}
You can use translation on constraint messages as you can learn in this article: http://symfony.com/doc/current/validation/translations.html
If I have a form:
<form method="get" action="<?=action( "SomethingController#DoSomething" ) )?>">
<select name="SomethingID">
<?php foreach( $somethings as $something ) : ?>
<option value="<?=$something->id?>"><?=$something->title?></option>
<?php endforeach; ?>
</select>
</form>
How do I do a route for this so that my DoSomething function gets an id given to it rather than generating an ugly as hell URL like www.example.com/project/3/something?SomethingID=7
Route::get( "project/3/something/{SomethingID}", "SomethingController#DoSomething", function( $somethingID ) {
return App::make( "SomethingController" )->DoSomething( $somethingID );
} );
I want the URL to be www.example.com/project/3/something/7
The problem is it can't be a post... because then people can never just simply go to that URL... they'd always have to post to it.
Do I need to make the dropdown box change the anchor href of a button with javascript that then generates the correct url from that?
Can't seem to find anything in here:
http://laravel.com/docs/4.2/routing
I feel like you're doing everything right... I am a little confused on what you're trying to do though, and subsequently doing "wrong" (since everything seems right), so apologies in advance for the shot in the dark. Instead of the select, can you use simple a tags?
#foreach($somethings AS $something)
{{ $something->title }}
#endforeach
That way, clicking the link takes them to www.example.com/project/3/something/7 -> or whatever ID is generated by the link. As for routing, you could do:
Route::get("project/3/something/{SomethingID}", "SomethingController#getSomething");
Route::post("project/3/something/{SomethingID}", "SomethingController#postSomething");
And your controller:
public function getSomething($somethingID){
// Handle returning the view and whatever else you need
}
public function postSomething($somethingID){
// Handle the post function (i.e. do stuff.)
}
Those are a couple things to try when routing dependent on variable ID's, but if there's something else you're trying to accomplish, leave a comment and I'll look into that as well.
Cheers!
I am building a php/mysql based framework and cms , and I got stucked into passing variables using post method , from a form located in one controller, to another controller. More exactly , i built a form for changing languages. this form is located in localhost/index/index, and when I select a language, it goes to http://localhost/application/change_language, where change_language is a public function in application class. The thing is that $_POST variables from that form, don't get through , to change_language function. I var_dump-ed the entire $_POST tree, in this function, and all I got is array(0) { }. What I am doing wrong, or why isn't this working? Sorry for my english . Cheers
Sounds like you could use sessions to carry your data over. I ran into this problem with CodeIgniter and post data. I created a session with the post data, worked like a champ.
Could be a variety of things that are going wrong, it will be best to post some code here so we can have a look at what is wrong instead of blindly guessing what might be wrong.
Although as first look, it sounds like you did not properly post the form values to the function change_language. Please check that the form is properly formed. You might want to have a look at this.
In the MVC's perspective, form should be inside View not the Controller. So i would suggest you to put the form inside a View and then specify the action attribute of the form to a Controller which will process the form request something like this:
<form name="myform" method="post" action="index.php/your_controller">
.... more stuff here
</from>
Now you code for the your_controller Controller to process the form request:
class your_controller extends whateverparentcontroller
{
print '<pre>';
print_r($_POST);
}