I'm building a small CMS in Laravel and I tried to show the content (which is stored in the DB). It is showing the HTML tags instead of executing them. Its like there is an auto html_entity_decode for all printed data.
<?php
class CmsController extends BaseController
{
public function Content($name)
{
$data = Pages::where('CID', '=', Config::get('company.CID'))
->where('page_name', '=', $name)
->first();
return View::make('cms.page')->with('content', $data);
}
}
I tried to print the content using the curly brace.
{{ $content->page_desc }}
and triple curly brace.
{{{ $content->page_desc }}}
And they give the same result. I need to execute those HTML tags instead of escaping them.
Change your syntax from {{ }} to {!! !!}.
As The Alpha said in a comment above (not an answer so I thought I'd post), in Laravel 5, the {{ }} (previously non-escaped output syntax) has changed to {!! !!}. Replace {{ }} with {!! !!} and it should work.
use this tag {!! description text !!}
I had the same issue. Thanks for the answers above, I solved my issue. If there are people facing the same problem, here is two way to solve it:
You can use {!! $news->body !!}
You can use traditional php openning (It is not recommended) like: <?php echo $string ?>
I hope it helps.
Include the content in {! <content> !} .
There is no problem with displaying HTML code in blade templates.
For test, you can add to routes.php only one route:
Route::get('/', function () {
$data = new stdClass();
$data->page_desc
= '<strong>aaa</strong><em>bbb</em>
<p>New paragaph</p><script>alert("Hello");</script>';
return View::make('hello')->with('content', $data);
}
);
and in hello.blade.php file:
<!doctype html>
<html lang="en">
<head>
<meta charset="UTF-8">
</head>
<body>
{{ $content->page_desc }}
</body>
</html>
For the following code you will get output as on image
So probably page_desc in your case is not what you expect. But as you see it can be potential dangerous if someone uses for example '` tag so you should probably in your route before assigning to blade template filter some tags
EDIT
I've also tested it with putting the same code into database:
Route::get('/', function () {
$data = User::where('id','=',1)->first();
return View::make('hello')->with('content', $data);
}
);
Output is exactly the same in this case
Edit2
I also don't know if Pages is your model or it's a vendor model. For example it can have accessor inside:
public function getPageDescAttribute($value)
{
return htmlspecialchars($value);
}
and then when you get page_desc attribute you will get modified page_desc with htmlspecialchars. So if you are sure that data in database is with raw html (not escaped) you should look at this Pages class
{{html_entity_decode ($post->content())}} saved the issue for me with Laravel 4.0. Now My HTML content is interpreted as it should.
Related
I'm using Laravel 9 and running PHP 8.2.
In blade views I can use the following example blade component:
<x-frontend.module-button href="#" text="Example button" />
But when using a HEREDOC like so:
$html = <<<HTML
<x-frontend.module-button href="#" text="This will not output anything" />
HTML;
The x-component doesn't output anything at all, and just to confirm that yes it does work in a standard blade view.
Is this just a limitation of using a HTML HEREDOC or is there some way around this? The only thing I tried was adding a special global function called component that returns the component view like so:
function component(string $componentName, array $data = [], bool $render = true)
{
$view = view('components.'.$componentName, $data);
return $render ? $view->render() : $view;
}
And echoing that out within the HEREDOC, but then that kinda defeats the purpose of using the HEREDOC in the first place.
Any idea's or suggestions welcome, thank you!
From Laravel 9 you can now render a Blade template inline using Illuminate\Support\Facades\Blade::render($someString).
I don't have an example of your custom Blade component so I mocked one up:
#props([
'html',
'text'
])
<div>
<button>{{ $text }}</button>
</div>
Then to render this component via a string:
<?php
use Illuminate\Support\Facades\Route;
use Illuminate\Support\Facades\Blade;
Route::get('/', function () {
$html = Blade::render(<<<HTML
<x-frontend.module-button href="#" text="This will not output anything" />
HTML);
return view('welcome', compact('html'));
});
Note: To get this to render correctly I had to disable the auto-escaping feature of Blade, so my welcome.blade.php simply contained {!! $html !!}.
I trying to nest the sub-view controller like
$rootElement = $this->getStyles();
$styles = Styles::user()->where('parent_id',0)->get();
return view("settings.style",compact("menu","rootElement"))
->nest('styleModal','settings.add-style-modal',compact("rootElement"));
When display styleModal in view like
{{styleModal}}
It prints the html as text
Any thing which i am missing ?
Use {!! styleModal !!} instead of {{ styleModal }}.
Documentation.
I have a simple controller function that fetch all records from db. but when i am trying to show all these records it show nothing. In fact it shows me hard coded foreach loop like this.
#foreach ($compactData as $value) {{ $value->Name }} #endforeach
this is my contoller function.
public function showallProducts()
{
$productstock = Product::all()->stocks;
$productoldprice = Product::all()->OldPrices;
$productcurrentprice = Product::all()->CurrentPrice;
$compactData=array('productstock', 'productoldprice', 'productcurrentprice');
return view('welcome', compact($compactData));
}
this is my view
<!doctype html>
<html lang="{{ app()->getLocale() }}">
<head>
</head>
<body>
<div class="flex-center position-ref full-height">
<div class="content">
<div class="title m-b-md">
Laravel
</div>
<div class="title m-b-md">
All products
</div>
<table>
<tbody>
#foreach ($compactData as $value)
{{ $value->Name }}
#endforeach
</tbody>
</table>
</div>
</div>
</body>
why it is behaving like this. any solution?? I am using phpstorm version 17. Is their any setting issue to run project because what ever project I ran it gives me the only page which i ran with only html?
My route is.
Route::get('/', function () {
$action = 'showallProducts';
return App::make('ProductController')->$action();
});
Have you checked your $compactData variable? Please dd($compactData) to see what it contains.
Problem 1
You are accessing a relational property as a property of Eloquent collection, like this:
Product::all()->stocks
which is not correct. Because the Collection object doesn't have the property stocks but yes the Product object might have a stocks property. Please read the Laravel documentation about Collection.
Problem 2
$compactData = array('productstock', 'productoldprice', 'productcurrentprice');
This line creating an array of 4 string, plain string not variable. So, your $compactData is containing an array of 4 string. If you want to have a variable with associative array then you need to do the following:
$compactData = compact('productstock', 'productoldprice', 'productcurrentprice');
Problem 3
return view('welcome', compact($compactData));
Here you are trying to pass the $compactDate to the welcome view but unfortunately compact() function doesn't accept variable but the string name of that variable as I have written in Problem 2. So, it should be:
return view('welcome', compact('compactData'));
Problem 4
Finally, in the blade you are accessing each element of the $compactData data variable and print them as string which might be an object.
You most likely have a problem with your web server.
Try to use Laravel Valet as development environnement.
Edit : I found this : Valet for Windows
I think you didn't mention the blade in the name of the view file by which it is saved. So change the name of the file by which it is save to something like:
filename.blade.php
and try again.
Explanation:
#foreach ($compactData as $value) this is the syntax of blade template engine, and to parse and excute it, you have to mention the blade extension in the name.
I have a string returned to one of my views, like this:
$text = '<p><strong>Lorem</strong> ipsum dolor <img src="images/test.jpg"></p>'
I'm trying to display it with Blade:
{{$text}}
However, the output is a raw string instead of rendered HTML. How do I display HTML with Blade in Laravel?
PS. PHP echo() displays the HTML correctly.
You need to use
{!! $text !!}
The string will auto escape when using {{ $text }}.
For laravel 5
{!!html_entity_decode($text)!!}
Figured out through this link, see RachidLaasri answer
You can try this:
{!! $text !!}
You should have a look at: http://laravel.com/docs/5.0/upgrade#upgrade-5.0
Please use
{!! $test !!}
Only in case of HTML while if you want to render data, sting etc. use
{{ $test }}
This is because when your blade file is compiled
{{ $test }} is converted to <?php echo e($test) ?>
while
{!! $test !!} is converted to <?php echo $test ?>
There is another way. If object purpose is to render html you can implement \Illuminate\Contracts\Support\Htmlable contract that has toHtml() method.
Then you can render that object from blade like this: {{ $someObject }} (note, no need for {!! !!} syntax).
Also if you want to return html property and you know it will be html, use \Illuminate\Support\HtmlString class like this:
public function getProductDescription()
{
return new HtmlString($this->description);
}
and then use it like {{ $product->getProductDescription() }}.
Of course be responsible when directly rendering raw html on page.
When your data contains HTML tags then use
{!! $text !!}
When your data doesn't contain HTML tags then use
{{ $text }}
Try this. It worked for me.
{{ html_entity_decode($text) }}
In Laravel Blade template, {{ }} wil escape html. If you want to display html from controller in view, decode html from string.
You can do that using three ways first use if condition like below
{!! $text !!}
The is Second way
<td class="nowrap">
#if( $order->status == '0' )
<button class="btn btn-danger">Inactive</button>
#else
<button class="btn btn-success">Active</button>
#endif
</td>
The third and proper way for use ternary operator on blade
<td class="nowrap">
{!! $order->status=='0' ?
'<button class="btn btn-danger">Inactive</button> :
'<button class="btn btn-success">Active</button> !!}
</td>
I hope the third way is perfect for used ternary operator on blade.
you can do with many ways in laravel 5..
{!! $text !!}
{!! html_entity_decode($text) !!}
Use {!! $text !!}to display data without escaping it. Just be sure that you don’t do this with data that came from the user and has not been cleaned.
To add further explanation, code inside Blade {{ }} statements are automatically passed through the htmlspecialchars() function that php provides. This function takes in a string and will find all reserved characters that HTML uses. Reserved characters are & < > and ". It will then replace these reserved characters with their HTML entity variant. Which are the following:
|---------------------|------------------|
| Character | Entity |
|---------------------|------------------|
| & | & |
|---------------------|------------------|
| < | < |
|---------------------|------------------|
| > | > |
|---------------------|------------------|
| " | " |
|---------------------|------------------|
For example, assume we have the following php statement:
$hello = "<b>Hello</b>";
Passed into blade as {{ $hello }} would yield the literal string you passed:
<b>Hello</b>
Under the hood, it would actually echo as <b>Hello<b>
If we wanted to bypass this and actually render it as a bold tag, we escape the htmlspecialchars() function by adding the escape syntax blade provides:
{!! $hello !!}
Note that we only use one curly brace.
The output of the above would yield:
Hello
We could also utilise another handy function that php provides, which is the html_entity_decode() function. This will convert HTML entities to their respected HTML characters. Think of it as the reverse of htmlspecialchars()
For example say we have the following php statement:
$hello = "<b> Hello <b>";
We could now add this function to our escaped blade statement:
{!! html_entity_decode($hello) !!}
This will take the HTML entity < and parse it as HTML code <, not just a string.
The same will apply with the greater than entity >
which would yield
Hello
The whole point of escaping in the first place is to avoid XSS attacks. So be very careful when using escape syntax, especially if users in your application are providing the HTML themselves, they could inject their own code as they please.
This works fine for Laravel 5.6
<?php echo "$text"; ?>
In a different way
{!! $text !!}
It will not render HTML code and print as a string.
For more details open link:- Display HTML with Blade
By default, Blade {{ }} statements are automatically sent through PHP's htmlspecialchars function to prevent XSS attacks. If you do not want your data to be escaped, you may use the following syntax:
According to the doc, you must do the following to render your html in your Blade files:
{!! $text !!}
Be very careful when echoing content that is supplied by users of your application. You should typically use the escaped, double curly brace syntax to prevent XSS attacks when displaying user supplied data.
If you want to escape the data use
{{ $html }}
If don't want to escape the data use
{!! $html !!}
But till Laravel-4 you can use
{{ HTML::link('/auth/logout', 'Sign Out', array('class' => 'btn btn-default btn-flat')) }}
When comes to Laravel-5
{!! HTML::link('/auth/logout', 'Sign Out', array('class' => 'btn btn-default btn-flat')) !!}
You can also do this with the PHP function
{{ html_entity_decode($data) }}
go through the PHP document for the parameters of this function
html_entity_decode - php.net
Try this, It's worked:
#php
echo $text;
#endphp
For who using tinymce and markup within textarea:
{{ htmlspecialchars($text) }}
On controller.
$your_variable = '';
$your_variable .= '<p>Hello world</p>';
return view('viewname')->with('your_variable', $your_variable)
If you do not want your data to be escaped, you may use the following syntax:
{!! $your_variable !!}
Output
Hello world
{!! !!} is not safe.
Read here: https://laravel.com/docs/5.6/blade#displaying-data
You can try:
#php
echo $variable;
#endphp
If you use the Bootstrap Collapse class sometimes {!! $text !!}
is not worked for me but {{ html_entity_decode($text) }} is worked for me.
I have been there and it was my fault. And very stupid one.
if you forget .blade extension in the file name, that file doesn't understand blade but runs php code. You should use
/resources/views/filename.blade.php
instead of
/resources/views/filename.php
hope this helps some one
I have a string returned to one of my views, like this:
$text = '<p><strong>Lorem</strong> ipsum dolor <img src="images/test.jpg"></p>'
I'm trying to display it with Blade:
{{$text}}
However, the output is a raw string instead of rendered HTML. How do I display HTML with Blade in Laravel?
PS. PHP echo() displays the HTML correctly.
You need to use
{!! $text !!}
The string will auto escape when using {{ $text }}.
For laravel 5
{!!html_entity_decode($text)!!}
Figured out through this link, see RachidLaasri answer
You can try this:
{!! $text !!}
You should have a look at: http://laravel.com/docs/5.0/upgrade#upgrade-5.0
Please use
{!! $test !!}
Only in case of HTML while if you want to render data, sting etc. use
{{ $test }}
This is because when your blade file is compiled
{{ $test }} is converted to <?php echo e($test) ?>
while
{!! $test !!} is converted to <?php echo $test ?>
There is another way. If object purpose is to render html you can implement \Illuminate\Contracts\Support\Htmlable contract that has toHtml() method.
Then you can render that object from blade like this: {{ $someObject }} (note, no need for {!! !!} syntax).
Also if you want to return html property and you know it will be html, use \Illuminate\Support\HtmlString class like this:
public function getProductDescription()
{
return new HtmlString($this->description);
}
and then use it like {{ $product->getProductDescription() }}.
Of course be responsible when directly rendering raw html on page.
When your data contains HTML tags then use
{!! $text !!}
When your data doesn't contain HTML tags then use
{{ $text }}
Try this. It worked for me.
{{ html_entity_decode($text) }}
In Laravel Blade template, {{ }} wil escape html. If you want to display html from controller in view, decode html from string.
You can do that using three ways first use if condition like below
{!! $text !!}
The is Second way
<td class="nowrap">
#if( $order->status == '0' )
<button class="btn btn-danger">Inactive</button>
#else
<button class="btn btn-success">Active</button>
#endif
</td>
The third and proper way for use ternary operator on blade
<td class="nowrap">
{!! $order->status=='0' ?
'<button class="btn btn-danger">Inactive</button> :
'<button class="btn btn-success">Active</button> !!}
</td>
I hope the third way is perfect for used ternary operator on blade.
you can do with many ways in laravel 5..
{!! $text !!}
{!! html_entity_decode($text) !!}
To add further explanation, code inside Blade {{ }} statements are automatically passed through the htmlspecialchars() function that php provides. This function takes in a string and will find all reserved characters that HTML uses. Reserved characters are & < > and ". It will then replace these reserved characters with their HTML entity variant. Which are the following:
|---------------------|------------------|
| Character | Entity |
|---------------------|------------------|
| & | & |
|---------------------|------------------|
| < | < |
|---------------------|------------------|
| > | > |
|---------------------|------------------|
| " | " |
|---------------------|------------------|
For example, assume we have the following php statement:
$hello = "<b>Hello</b>";
Passed into blade as {{ $hello }} would yield the literal string you passed:
<b>Hello</b>
Under the hood, it would actually echo as <b>Hello<b>
If we wanted to bypass this and actually render it as a bold tag, we escape the htmlspecialchars() function by adding the escape syntax blade provides:
{!! $hello !!}
Note that we only use one curly brace.
The output of the above would yield:
Hello
We could also utilise another handy function that php provides, which is the html_entity_decode() function. This will convert HTML entities to their respected HTML characters. Think of it as the reverse of htmlspecialchars()
For example say we have the following php statement:
$hello = "<b> Hello <b>";
We could now add this function to our escaped blade statement:
{!! html_entity_decode($hello) !!}
This will take the HTML entity < and parse it as HTML code <, not just a string.
The same will apply with the greater than entity >
which would yield
Hello
The whole point of escaping in the first place is to avoid XSS attacks. So be very careful when using escape syntax, especially if users in your application are providing the HTML themselves, they could inject their own code as they please.
Use {!! $text !!}to display data without escaping it. Just be sure that you don’t do this with data that came from the user and has not been cleaned.
By default, Blade {{ }} statements are automatically sent through PHP's htmlspecialchars function to prevent XSS attacks. If you do not want your data to be escaped, you may use the following syntax:
According to the doc, you must do the following to render your html in your Blade files:
{!! $text !!}
Be very careful when echoing content that is supplied by users of your application. You should typically use the escaped, double curly brace syntax to prevent XSS attacks when displaying user supplied data.
This works fine for Laravel 5.6
<?php echo "$text"; ?>
In a different way
{!! $text !!}
It will not render HTML code and print as a string.
For more details open link:- Display HTML with Blade
If you want to escape the data use
{{ $html }}
If don't want to escape the data use
{!! $html !!}
But till Laravel-4 you can use
{{ HTML::link('/auth/logout', 'Sign Out', array('class' => 'btn btn-default btn-flat')) }}
When comes to Laravel-5
{!! HTML::link('/auth/logout', 'Sign Out', array('class' => 'btn btn-default btn-flat')) !!}
You can also do this with the PHP function
{{ html_entity_decode($data) }}
go through the PHP document for the parameters of this function
html_entity_decode - php.net
Try this, It's worked:
#php
echo $text;
#endphp
For who using tinymce and markup within textarea:
{{ htmlspecialchars($text) }}
On controller.
$your_variable = '';
$your_variable .= '<p>Hello world</p>';
return view('viewname')->with('your_variable', $your_variable)
If you do not want your data to be escaped, you may use the following syntax:
{!! $your_variable !!}
Output
Hello world
{!! !!} is not safe.
Read here: https://laravel.com/docs/5.6/blade#displaying-data
You can try:
#php
echo $variable;
#endphp
If you use the Bootstrap Collapse class sometimes {!! $text !!}
is not worked for me but {{ html_entity_decode($text) }} is worked for me.
I have been there and it was my fault. And very stupid one.
if you forget .blade extension in the file name, that file doesn't understand blade but runs php code. You should use
/resources/views/filename.blade.php
instead of
/resources/views/filename.php
hope this helps some one