Gujarat Santana Gujarat Santana - 1 year ago 81
PHP Question

Using double curly brace in Laravel Collective

I'm trying to create form that create users like this and this form will be use for displaying data also using Form Model Binding:

{{ Form::open(['url' => 'admin/users/create']) }}
<div class="form-group">
{{ Form::label('first_name', 'First Name : ') }}
{{ Form::text('first_name', null, ['class' => 'form-control']) }}

<div class="form-group">
{{ Form::label('last_name', 'Last Name : ') }}
{{ Form::text('last_name', null, ['class' => 'form-control']) }}
{{ Form::close() }}

however it showing the code not the actual view, so I see in my browser this code :

<form method="POST" action="http://localhost:8000/admin/users/create" accept-charset="UTF-8">
<input name="_token" type="hidden" value="X5MA46MJctYOYeMtZF1RoQKYmWDtAbsSoxwoOA8Y">
<label for="first_name">First Name : </label>
<input class="form-control" name="first_name" type="text" id="first_name">
<label for="last_name">Last Name : </label>
<input class="form-control" name="last_name" type="text" id="last_name">

but when trying to using
{!! !!}
as the open and close brackets, the code works and showing the actual view.

I'm still dont understand why I can't use
{{ }}
as my bracket using laravel-collective and kinda afraid of XSS attack just like laravel documentation said on the section Displaying Unescaped Data:

Note: Be very careful when echoing content that is supplied by users
of your application. Always use the double curly brace syntax to
escape any HTML entities in the content.

any helpful explanation on this ? thank you

NOTE : I'm using Laravel Version 5.1.40 (LTS)

Answer Source

Because {{ }} is used for escaping HTML entities to prevent XSS attacks for your input being displayed from your server/database.

so if someone had inserted a malicious code in your database then it would not be executable for a user and instead just print out on the screen. like so

$dbValue = "<script> Some evil code </script>";

{{ $dbValue }}

It'll output as this

<script> Some evil code </script>

And because Laravel Collective HTML FORM IS generating HTML for you to display then you have to use {!! !!} to prevent escaping.

{!! "<b>Bold Text</b>" !!}

then it'll output this

Bold Text

For generating HTML it's fine but you've to be careful about your values being sent to your server and being displayed out to a user. There you'll always have to escape your data with {{ }}