How to escape output in Laravel blade - BOOKC -->

How to escape output in Laravel blade

Saturday, March 25, 2017


When you use the blade template in laravel, specially laravel version 4, if you use the double curly braces to output something, then you are vulnerable to XSS exploits, you need to escape the output.

The solution is to use triple curly braces, using triple curly braces any output will be escape first, so it is safer than using triple curly braces in laravel 4.

Laravel 4
unescaped (raw) output
<?php 
$message = '<script>alert("hacking double curly braces")</script>';
?>
{{ $message }}

escaped output
<?php 
$message = '<script>alert("hacking double curly braces")</script>';
?>
{{{ $message }}}
Can you see the difference now?


Laravel 5
For laravel 5, you don't need to worry about this, because in laravel 5 all the curly braces are escaped, so in laravel 5 double curly braces is exactly the same as triple curly braces, they all escaped.

But the question is, what if i want to output something raw/unescaped in laravel 5? there is a new directive in laravel 5 for outputing raw/unescaped character, it looks like this:
{!! $message !!}

For better security by default, Laravel 5.0 escapes all output from both the {{ }} and {{{ }}} Blade directives. 
A new {!! !!} directive has been introduced to display raw, unescaped output.
The most secure option when upgrading your application is to only use the new {!! !!} directive
when you are certain that it is safe to display raw output.