Displaying HTML with Blade shows the HTML code

R

21

426

I have a string returned to one of my views, like this:

$text = '<p><strong>Lorem</strong> ipsum dolor <img src="images/test.jpg"></p>'

I'm trying to display it with Blade:

{{$text}}

However, the output is a raw string instead of rendered HTML. How do I display HTML with Blade in Laravel?

PS. PHP echo() displays the HTML correctly.

Roswell answered 25/3, 2015 at 11:8 Comment(4)

{!! nl2br($post->description) !!} works for me if I have only spaces and br. – Everyday 2/9, 2019 at 13:53

The alternative I just provided is better than using {!! !!}, this is not very secure with third party html – Mother 29/9, 2020 at 11:5

For Laravel 8 working: {!! html_entity_decode($content_from_db) !!} – Everyday 9/12, 2021 at 10:14

@MuhammadShahzad answer works well. Tested on Laravel 9 after searching for a solution for a while. Thank you. – Wendish 17/11, 2022 at 7:37

P

958

You need to use

{!! $text !!}

The string will auto escape when using {{ $text }}.

Peggi answered 25/3, 2015 at 11:9 Comment(7)

Here are the Laravel docs that mention this: "If you do not want your data to be escaped, you may use the following syntax: Hello, {!! $name !!}." laravel.com/docs/5.5/blade#displaying-data – Pham 31/10, 2017 at 22:8

I am also wondering about what @Pham mentioned. Is this not a security issue? – Churning 27/4, 2018 at 14:14

@Churning It quite likely is a security issue if $text contains user input and you did not escape this properly. For example, $text = 'Hello '.$_GET['name'].''; is dangerous because $_GET['name'] could include HTML, which would allow XSS. You could do $text = 'Hello '.htmlentities($_GET['name']).''; and would be safe. – Lipoprotein 14/5, 2018 at 9:28

this dose not do the whole trick! if I had something like <meta cc="grâce à"> and I wanna show it in blade, It will look like this <meta cc="grâce à">. So the answer for me is @Praveen_Dabral 's – Tatter 15/8, 2018 at 10:21

This prints out the content 3 times (duplicate), any idea? – Bilbrey 16/8, 2020 at 13:16

This little things are golden knowledge!! – Pimbley 17/9, 2020 at 0:25

Because it's neither pointed out in this answer nor the comments: Apply caution to this syntax and do not use it as your default way to output content in templates! The exclamation marks are intentionally chosen to draw attention to the fact that you could become susceptible to XSS attacks - especially when you output any strings provided by users (even when you don't expect them to contain markup) – Brenan 11/10, 2021 at 11:3

M

84

For laravel 5

{!!html_entity_decode($text)!!}

Figured out through this link, see RachidLaasri answer

Mornings answered 25/9, 2015 at 10:42 Comment(2)

Thanks..its working..{!! html_entity_decode($data) !!} – Dearborn 6/4, 2017 at 7:29

This provides exactly the same result as the accepted answer, for the data given in the question. The only case where it would behave differently is if there were HTML entities in $text. – Loquat 2/6, 2021 at 20:19

L

54

You can try this:

{!! $text !!}

You should have a look at: http://laravel.com/docs/5.0/upgrade#upgrade-5.0

Lambaste answered 25/3, 2015 at 11:12 Comment(0)

P

34

Please use

{!! $test !!}

Only in case of HTML while if you want to render data, sting etc. use

{{ $test }}

This is because when your blade file is compiled

{{ $test }} is converted to <?php echo e($test) ?> while

{!! $test !!} is converted to <?php echo $test ?>

Pascal answered 2/3, 2017 at 6:38 Comment(0)

U

26

There is another way. If object purpose is to render html you can implement \Illuminate\Contracts\Support\Htmlable contract that has toHtml() method.

Then you can render that object from blade like this: {{ $someObject }} (note, no need for {!! !!} syntax).

Also if you want to return html property and you know it will be html, use \Illuminate\Support\HtmlString class like this:

public function getProductDescription()
{
    return new HtmlString($this->description);
}

and then use it like {{ $product->getProductDescription() }}.

Of course be responsible when directly rendering raw html on page.

Ulane answered 1/4, 2017 at 12:52 Comment(1)

Returning HTML from a Form field Macro, this is exactly the right solution. Return the HTML string from the function, using this method, and call the Macro within your Blade template. +1 – Rothman 3/3, 2023 at 13:34

W

25

When your data contains HTML tags then use

{!! $text !!}

When your data doesn't contain HTML tags then use

{{ $text }}

Weirdo answered 21/10, 2021 at 8:7 Comment(0)

U

14

Try this. It worked for me.

{{ html_entity_decode($text) }}

In Laravel Blade template, {{ }} wil escape html. If you want to display html from controller in view, decode html from string.

Urien answered 5/12, 2015 at 13:13 Comment(1)

this is not right is above answers it could be done in your way it just confusing the porgrammer – Fye 31/5, 2018 at 9:21

P

10

You can do that using three ways first use if condition like below

{!! $text !!}

The is Second way

<td class="nowrap">
@if( $order->status == '0' )
    <button class="btn btn-danger">Inactive</button>
@else
    <button class="btn btn-success">Active</button>
@endif
</td>

The third and proper way for use ternary operator on blade

<td class="nowrap">
      {!! $order->status=='0' ? 
          '<button class="btn btn-danger">Inactive</button> : 
          '<button class="btn btn-success">Active</button> !!}
</td>

I hope the third way is perfect for used ternary operator on blade.

Premaxilla answered 24/10, 2018 at 11:23 Comment(0)

I

10

you can do with many ways in laravel 5..

{!! $text !!}

{!! html_entity_decode($text) !!}

Impugn answered 28/12, 2018 at 20:17 Comment(1)

if you store encoded tags (hello world.) in db above code works...Thanks!!! – Bashuk 16/1, 2019 at 1:14

C

9

To add further explanation, code inside Blade {{ }} statements are automatically passed through the htmlspecialchars() function that php provides. This function takes in a string and will find all reserved characters that HTML uses. Reserved characters are & < > and ". It will then replace these reserved characters with their HTML entity variant. Which are the following:

|---------------------|------------------|
|      Character      |       Entity     |
|---------------------|------------------|
|          &          |       &amp;      |
|---------------------|------------------|
|          <          |       &lt;       |
|---------------------|------------------|
|          >          |       &gt;       |
|---------------------|------------------|
|          "          |       &quot;     |
|---------------------|------------------|

For example, assume we have the following php statement:

$hello = "<b>Hello</b>";

Passed into blade as {{ $hello }} would yield the literal string you passed:

<b>Hello</b>

Under the hood, it would actually echo as Hello<b&gt

If we wanted to bypass this and actually render it as a bold tag, we escape the htmlspecialchars() function by adding the escape syntax blade provides:

{!! $hello !!}

Note that we only use one curly brace.

The output of the above would yield:

Hello

We could also utilise another handy function that php provides, which is the html_entity_decode() function. This will convert HTML entities to their respected HTML characters. Think of it as the reverse of htmlspecialchars()

For example say we have the following php statement:

$hello = "&lt;b&gt; Hello &lt;b&gt;";

We could now add this function to our escaped blade statement:

{!! html_entity_decode($hello) !!}

This will take the HTML entity < and parse it as HTML code <, not just a string.

The same will apply with the greater than entity >

which would yield

Hello

The whole point of escaping in the first place is to avoid XSS attacks. So be very careful when using escape syntax, especially if users in your application are providing the HTML themselves, they could inject their own code as they please.

Copepod answered 25/4, 2020 at 1:19 Comment(0)

T

7

Use {!! $text !!}to display data without escaping it. Just be sure that you don’t do this with data that came from the user and has not been cleaned.

Tomsk answered 28/3, 2018 at 6:43 Comment(0)

I

7

By default, Blade {{ }} statements are automatically sent through PHP's htmlspecialchars function to prevent XSS attacks. If you do not want your data to be escaped, you may use the following syntax:

According to the doc, you must do the following to render your html in your Blade files:

{!! $text !!}

Be very careful when echoing content that is supplied by users of your application. You should typically use the escaped, double curly brace syntax to prevent XSS attacks when displaying user supplied data.

Insidious answered 12/2, 2021 at 18:56 Comment(0)

D

6

This works fine for Laravel 5.6

<?php echo "$text"; ?>

In a different way

{!! $text !!}

It will not render HTML code and print as a string.

For more details open link:- Display HTML with Blade

Deservedly answered 29/3, 2018 at 8:20 Comment(0)

M

5

If you want to escape the data use

{{ $html }}

If don't want to escape the data use

{!! $html !!}

But till Laravel-4 you can use

{{ HTML::link('/auth/logout', 'Sign Out', array('class' => 'btn btn-default btn-flat')) }}

When comes to Laravel-5

{!! HTML::link('/auth/logout', 'Sign Out', array('class' => 'btn btn-default btn-flat')) !!}

You can also do this with the PHP function

{{ html_entity_decode($data) }}

go through the PHP document for the parameters of this function

html_entity_decode - php.net

Misapprehend answered 19/4, 2017 at 10:14 Comment(0)

M

1

Try this, It's worked:

@php 
   echo $text; 
@endphp

Magnetism answered 23/1, 2019 at 12:11 Comment(0)

A

0

For who using tinymce and markup within textarea:

{{ htmlspecialchars($text) }}

Alternator answered 28/6, 2018 at 8:14 Comment(0)

E

0

If you use the Bootstrap Collapse class sometimes {!! $text !!} is not worked for me but {{ html_entity_decode($text) }} is worked for me.

Ecumenicalism answered 17/12, 2019 at 6:14 Comment(0)

W

0

On controller.

$your_variable = '';
$your_variable .= '<p>Hello world</p>';

return view('viewname')->with('your_variable', $your_variable)

If you do not want your data to be escaped, you may use the following syntax:

{!! $your_variable !!}

Output

Hello world

Wrought answered 14/7, 2020 at 7:51 Comment(0)

A

0

{!! !!} is not safe.

Read here: https://laravel.com/docs/5.6/blade#displaying-data

You can try:

    @php 
     echo $variable; 
    @endphp

Amphidiploid answered 15/12, 2021 at 8:47 Comment(1)

Is the same "not safe" echo and {!! use it with care – Heda 21/1, 2022 at 14:9

U

0

single brackets worked for me. double brackets showed single brackets on the page. i used

{! $text !}

Uncharted answered 19/1 at 23:46 Comment(0)

L

-2

I have been there and it was my fault. And very stupid one.

if you forget .blade extension in the file name, that file doesn't understand blade but runs php code. You should use

/resources/views/filename.blade.php

instead of

/resources/views/filename.php

hope this helps some one

Lubeck answered 11/9, 2018 at 8:18 Comment(0)

Recommended topics

Hot tags