Laravel Escaping All HTML in Blade Template

Asked 24/9, 2014 at 18:21 Answered 21/5, 2023 at 16:22

I'm building a small CMS in Laravel and I tried to show the content (which is stored in the DB). It is showing the HTML tags instead of executing them. Its like there is an auto html_entity_decode for all printed data.

<?php

class CmsController extends BaseController
{
    public function Content($name)
    {    
        $data = Pages::where('CID', '=', Config::get('company.CID'))
            ->where('page_name', '=', $name)
            ->first();

        return View::make('cms.page')->with('content', $data);
    }
}

I tried to print the content using the curly brace.

{{ $content->page_desc }}

and triple curly brace.

{{{ $content->page_desc }}}

And they give the same result. I need to execute those HTML tags instead of escaping them.

Diva answered 24/9, 2014 at 18:21 Comment(8)

In latest version ver-5.0 {{...}} and {{{...}}} both does this, what version do you have exactly ? – Interim 24/9, 2014 at 18:22

im using version 4.2 – Diva 24/9, 2014 at 18:24

Then I'm not sure why {{...}} gives escaped result! – Interim 24/9, 2014 at 18:26

In v-5, use {!! !!} for normal output (without esc). – Interim 24/9, 2014 at 18:30

Are they stored as "tags" or already escaped in the db? Because else I would see it like The Alpha, this should only be the case in v5 of laravel – Somerset 24/9, 2014 at 18:34

this is the first thing i checked before asking my question and yes they stored normally in the sql table – Diva 24/9, 2014 at 18:35

@Diva I've modified my answer. Maybe it will help you – Padnag 24/9, 2014 at 19:4

The {!! !!} syntax definitely worked for me in Laravel 5. – Scheldt 30/3, 2015 at 17:25

193

Change your syntax from {{ }} to {!! !!}.

As The Alpha said in a comment above (not an answer so I thought I'd post), in Laravel 5, the {{ }} (previously non-escaped output syntax) has changed to {!! !!}. Replace {{ }} with {!! !!} and it should work.

Bedraggle answered 10/4, 2015 at 5:44 Comment(4)

Solved in my case! – Estriol 19/3, 2016 at 21:35

worked like magic. Thanks!! Though I don't know why html_entity_decode didn't work. – Yeasty 5/12, 2016 at 10:56

@IvanTopolcic is there a way to extract the html coming back from an @yield('content') blade directive? – Myrwyn 15/12, 2021 at 15:33

This is documented at laravel.com/docs/8.x/blade – Overexpose 2/2, 2022 at 3:51

use this tag {!! description text !!}

Tremble answered 27/2, 2016 at 20:3 Comment(2)

This answer worked for my in Laravel 5.2. In the course of working on the problem, I also discovered that Illuminate/Support/helpers.php::529 runs htmlentities() if you don't use this syntax: {!! !!}. – Lists 28/3, 2016 at 20:50

Still works in Laravel 7 ... – Illimani 2/9, 2022 at 20:50

I had the same issue. Thanks for the answers above, I solved my issue. If there are people facing the same problem, here is two way to solve it:

You can use {!! $news->body !!}
You can use traditional php openning (It is not recommended) like: <?php echo $string ?>

I hope it helps.

Impetigo answered 21/6, 2017 at 10:49 Comment(1)

is there a way to extract the html coming back from an @yield('content') blade directive? – Myrwyn 15/12, 2021 at 15:33

Include the content in {! <content> !} .

Shumaker answered 2/1, 2016 at 14:30 Comment(0)

There is no problem with displaying HTML code in blade templates.

For test, you can add to routes.php only one route:

Route::get('/', function () {

        $data = new stdClass();
        $data->page_desc
            = '<strong>aaa</strong><em>bbb</em>
               <p>New paragaph</p><script>alert("Hello");</script>';

        return View::make('hello')->with('content', $data);
    }
);

and in hello.blade.php file:

<!doctype html>
<html lang="en">
<head>
    <meta charset="UTF-8">
</head>
<body>

{{ $content->page_desc }}

</body>
</html>

For the following code you will get output as on image

Output

So probably page_desc in your case is not what you expect. But as you see it can be potential dangerous if someone uses for example '` tag so you should probably in your route before assigning to blade template filter some tags

EDIT

I've also tested it with putting the same code into database:

Route::get('/', function () {

        $data = User::where('id','=',1)->first();

        return View::make('hello')->with('content', $data);
    }
);

Output is exactly the same in this case

Edit2

I also don't know if Pages is your model or it's a vendor model. For example it can have accessor inside:

public function getPageDescAttribute($value)
{
    return htmlspecialchars($value);
}

and then when you get page_desc attribute you will get modified page_desc with htmlspecialchars. So if you are sure that data in database is with raw html (not escaped) you should look at this Pages class

Bottomry answered 24/9, 2014 at 18:52 Comment(1)

testing now Thank you – Diva 24/9, 2014 at 19:38

This worked for me in Laravel 10

{!! $blog->description !!}

Lugger answered 21/5, 2023 at 16:22 Comment(1)

Those tags will output what the user entered data saved to the database. This could include anything. Consider passing it through an HTML filter or purifier. – Guadiana 8/11, 2023 at 0:1

-4

{{html_entity_decode ($post->content())}} saved the issue for me with Laravel 4.0. Now My HTML content is interpreted as it should.

Tews answered 11/11, 2014 at 16:20 Comment(2)

Yes, this solution actually works for laravel 4 - maybe someone know better solution for L4? – Millican 7/3, 2017 at 16:33

Since we are using laravel we should use {!! !!} which follows the Laravel syntax. – Dulce 30/5, 2017 at 16:20

Recommended topics

Hot tags