I'm building a small CMS in Laravel and I tried to show the content (which is stored in the DB). It is showing the HTML tags instead of executing them. Its like there is an auto html_entity_decode for all printed data.
<?php
class CmsController extends BaseController
{
public function Content($name)
{
$data = Pages::where('CID', '=', Config::get('company.CID'))
->where('page_name', '=', $name)
->first();
return View::make('cms.page')->with('content', $data);
}
}
I tried to print the content using the curly brace.
{{ $content->page_desc }}
and triple curly brace.
{{{ $content->page_desc }}}
And they give the same result. I need to execute those HTML tags instead of escaping them.
This question is related to
php
laravel
laravel-4
laravel-blade
The answer is
Include the content in {! <content> !} .
There is no problem with displaying HTML code in blade templates.
For test, you can add to routes.php only one route:
Route::get('/', function () {
$data = new stdClass();
$data->page_desc
= '<strong>aaa</strong><em>bbb</em>
<p>New paragaph</p><script>alert("Hello");</script>';
return View::make('hello')->with('content', $data);
}
);
and in hello.blade.php file:
<!doctype html>
<html lang="en">
<head>
<meta charset="UTF-8">
</head>
<body>
{{ $content->page_desc }}
</body>
</html>
For the following code you will get output as on image
So probably page_desc in your case is not what you expect. But as you see it can be potential dangerous if someone uses for example '` tag so you should probably in your route before assigning to blade template filter some tags
EDIT
I've also tested it with putting the same code into database:
Route::get('/', function () {
$data = User::where('id','=',1)->first();
return View::make('hello')->with('content', $data);
}
);
Output is exactly the same in this case
Edit2
I also don't know if Pages is your model or it's a vendor model. For example it can have accessor inside:
public function getPageDescAttribute($value)
{
return htmlspecialchars($value);
}
and then when you get page_desc attribute you will get modified page_desc with htmlspecialchars. So if you are sure that data in database is with raw html (not escaped) you should look at this Pages class
use this tag {!! description text !!}
I had the same issue. Thanks for the answers above, I solved my issue. If there are people facing the same problem, here is two way to solve it:
- You can use
{!! $news->body !!} - You can use traditional php openning (It is not recommended) like:
<?php echo $string ?>
I hope it helps.
Change your syntax from {{ }} to {!! !!}.
As The Alpha said in a comment above (not an answer so I thought I'd post), in Laravel 5, the {{ }} (previously non-escaped output syntax) has changed to {!! !!}. Replace {{ }} with {!! !!} and it should work.
{{html_entity_decode ($post->content())}} saved the issue for me with Laravel 4.0. Now My HTML content is interpreted as it should.
Source: Stackoverflow.com