1

I'm trying to create form that create users like this and this form will be use for displaying data also using Form Model Binding: 

{{ Form::open(['url' => 'admin/users/create']) }}

    <div class="form-group">
        {{ Form::label('first_name', 'First Name : ') }}
        {{ Form::text('first_name', null, ['class' => 'form-control']) }}
    </div>

    <div class="form-group">
        {{ Form::label('last_name', 'Last Name : ') }}
        {{ Form::text('last_name', null, ['class' => 'form-control']) }}
    </div>

{{ Form::close() }}

however it showing the code not the actual view, so I see in my browser this code : 

<form method="POST" action="http://localhost:8000/admin/users/create" accept-charset="UTF-8">

    <input name="_token" type="hidden" value="X5MA46MJctYOYeMtZF1RoQKYmWDtAbsSoxwoOA8Y">

    <label for="first_name">First Name : </label> 
    <input class="form-control" name="first_name" type="text" id="first_name">

    <label for="last_name">Last Name : </label> 
    <input class="form-control" name="last_name" type="text" id="last_name">

</form>

but when trying to using {!! !!} as the open and close brackets, the code works and showing the actual view.

I'm still dont understand why I can't use {{ }} as my bracket using laravel-collective and if you see this Project it's work fine.

Also kinda afraid of XSS attack just like laravel documentation said on the section Displaying Unescaped Data:

Note: Be very careful when echoing content that is supplied by users of your application. Always use the double curly brace syntax to escape any HTML entities in the content.

any helpful explanation on this? thank you

NOTE : I'm using Laravel Version 5.1.40 (LTS)

Zayn Ali
  • 4,765
  • 1
  • 30
  • 40
Gujarat Santana
  • 9,854
  • 17
  • 53
  • 75

1 Answers1

1

Because {{ }} is used for escaping HTML entities to prevent XSS attacks for your input being displayed from your server/database.

so if someone had inserted a malicious code in your database then it would not be executable for a user and instead just print out on the screen. like so

$dbValue = "<script> Some evil code </script>";

{{ $dbValue }}

It'll output as this

<script> Some evil code </script>

And because Laravel Collective HTML FORM IS generating HTML for you to display then you have to use {!! !!} to prevent escaping.

{!! "<b>Bold Text</b>" !!}

then it'll output this

Bold Text

For generating HTML it's fine but you've to be careful about your values being sent to your server and being displayed out to a user. There you'll always have to escape your data with {{ }}

Zayn Ali
  • 4,765
  • 1
  • 30
  • 40
  • what about displaying data using Form Model Binding? I will have to use the form to display data for editing. – Gujarat Santana Aug 06 '16 at 01:25
  • It'll automatically escape your model data values for your form so nothing to worry about here. – Zayn Ali Aug 06 '16 at 01:40
  • @GujaratSantana is there a reason you unaccepted the answer? – Zayn Ali Aug 06 '16 at 01:58
  • forgot to ask, why I cant use `{{ }}` instead of `{!! !!}` I see others project they can use `{{ }}` – Gujarat Santana Aug 06 '16 at 02:05
  • 1
    Because laravel HTML package have to generate HTML for you to output in your view so if you'll use {{ }} then these braces will escape the generated form HTML and you'll instead see code on your page instead of form – Zayn Ali Aug 06 '16 at 02:06
  • You only have to use {!! !!} with Form helper functions not with the database returned values. these must be escaped in order to prevent your website from XSS attacks – Zayn Ali Aug 06 '16 at 02:07
  • one more thing after I will accept your answer, do you know this project it is using the same bracket to generate form : https://github.com/dwightwatson/neontsunami/blob/master/resources/views/admin/posts/_form.blade.php – Gujarat Santana Aug 06 '16 at 02:08
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/120289/discussion-between-gujarat-santana-and-zayn-ali). – Gujarat Santana Aug 06 '16 at 02:09