Home » Php » php – Is this Blade sanitation working correctly (double vs triple curly braces)?

php – Is this Blade sanitation working correctly (double vs triple curly braces)?

Posted by: admin July 12, 2020 Leave a comment

Questions:

I apologize that this is most likely a misunderstanding of my own, rather than there being an actual problem. I’m fairly new to Laravel and Blade templating, and I’m trying to output a few fields taken from an Input::get. When I output the fields via double and triple curly braces, however, there doesn’t seem to be a difference between the output.

Here is an excerpt of my View:

@ $data = Input::only('name', 'date');

{{ "Unfiltered input: ".$data['name'] }}

<br />

{{{ "Filtered input: ".$data['name'] }}}

But when I provide an input with special characters or code and I view the source of the rendered page, I see the same, unfiltered input rendered for both.

As per the Laravel documentation, I want to strictly use the {{{ }}} when outputting to a View, but I don’t see it actually being “escaped or purified”. I haven’t quite gotten to setting up the Validation, which is where I believe the main brunt of the security and sanitation is, correct? But just focusing on this for now, am I misunderstanding what the triple curly braces are supposed to do? Or are they doing there job behind the scenes and I’m just not seeing it in the end result? Is there something else I should be doing (in addition to setting up the Validation layer) when outputting user-input like this?

How to&Answers:

Laravel 4

The only difference between the double and triple curly braces is that the triple curly braces runs the value through the e() helper function, which is just a shortcut to the PHP htmlentities function.

{{ "Unfiltered input: ".$data['name'] }}
{{{ "Filtered input: ".$data['name'] }}}

is compiled into:

<?php echo "Unfiltered input: ".$data['name']; ?>
<?php echo e("Filtered input: ".$data['name']); ?>

But, all of this happens on output. It doesn’t have anything to do with sanitizing input.

Laravel 5

In Laravel 5, the Blade syntax was changed so that double curly braces ({{ }}) will escape the output, and a new curly brace double exclamation syntax ({!! !!}) will not escape the output.

So,

{{ "Filtered input: ".$data['name'] }}
{!! "Unfiltered input: ".$data['name'] !!}

is compiled into:

<?php echo e("Filtered input: ".$data['name']); ?>
<?php echo "Unfiltered input: ".$data['name']; ?>

Answer:

In addition to the accepted answer it is worth mentioning that as of Laravel 5 {{ }} works the same as {{{ }}}

https://laravel.com/docs/5.2/upgrade#upgrade-5.0

Direct Quotation:

For better security by default, Laravel 5.0 escapes all output from
both the {{ }} and {{{ }}} Blade directives. A new {!! !!}
directive has been introduced to display raw, unescaped output. The most secure
option when upgrading your application is to only use the new {!! !!}
directive when you are certain that it is safe to display raw output.

However, if you must use the old Blade syntax, add the following lines
at the bottom of [email protected]:

\Blade::setRawTags('{{', '}}'); \Blade::setContentTags('{{{', '}}}');
\Blade::setEscapedContentTags('{{{', '}}}');

This should not be done
lightly, and may make your application more vulnerable to XSS
exploits. Also, comments with {{-- will no longer work.