1

I've had this code running since L5.0. With the latest update to L5.3.30 + the dependencies, it appears to be broken. Perhaps I've done something wrong since the beginning?

Here is the simplified code:

    {!! Form::select('currency', ['USD'=>'USD: *escape code here*'], 
        null, ['class'=>'form-control', "required", 'id'=>'currency']) !!}

For the last few years this code has returned a select box with text like this: "USD: $"

After composer update to L5.3.30, on all servers (test, dev, prod), it now returns the html symbol instead: "USD: escape code here"

I have temporarily (and successfully) patched this using:

 <select name = 'currency' id="currency" required class="form-control">
       @foreach (\Helper::currency() as $k=>$v)
                  <option  value="{{$k}}">{!! $v !!}</option>
       @endforeach
 </select>

The above code has the escape code for the currency in the $v var, and shows up correctly in the select box.

Please help - this breaks quite a few forms on my app.

Thank you.

EDIT: I can still correctly display unescaped text using {!! !!} everywhere else. It appears to only affect Form::select() items. I therefore am starting to think this is not an issue with Laravel's blade escape, but rather with the latest version of the Laravel Collective Form function

SOLUTION: I noted this to the Laravel Collective Dev team, but this has apparently NOT been rolled back. See https://github.com/LaravelCollective/html/issues/296 for latest.

Watercayman
  • 7,970
  • 10
  • 31
  • 49
  • 1
    Yes it is indeed Laravelcollective Formbuilder issue. I tracked this issue down to file /vendor/laravelcollective/html/src/FormBuilder.php line 683, there is "$this->html->escapeAll($display)" which is causing issues. Maybe you can try to contact developers, they do listen to emails. Please keep us updated. – Miloslav Milo Janoušek Feb 03 '17 at 15:49
  • Wow. An actual bug. Thank you very much @Miloslav Milo Janoušek , I don't have to think I'm crazy any more. I'll reach out to the dev team. – Watercayman Feb 03 '17 at 16:07

4 Answers4

2

You can "fix" it by downgrading Laravelcollective html package to version 5.3.0 (down from 5.3.1 which is current version). Just edit composer.json "require"

"laravelcollective/html": "5.3.*",

with this:

"laravelcollective/html": "5.3.0",

Downside is that you will use older version which may have some other issues which was already fixed in 5.3.1, but i dont have any specific information on that.

Miloslav Milo Janoušek
  • 154
  • 8
  • Thank you very much. Really appreciate you hunting this for me, I couldn't see the forest through the trees. Excellent! – Watercayman Feb 03 '17 at 16:11
0

Yes, this is the new syntax from Laravel 5.0. Just switching to {!! !!} is enough to fix using the form elements.

https://laravel.com/docs/5.0/upgrade

Blade Tag Changes

For better security by default, Laravel 5.0 escapes all output from both the {{ }} and {{{ }}} Blade directives. A new {!! !!} directive has been introduced to display raw, unescaped output. The most secure option when upgrading your application is to only use the new {!! !!} directive when you are certain that it is safe to display raw output.

However, if you must use the old Blade syntax, add the following lines at the bottom of AppServiceProvider@register:

\Blade::setRawTags('{{', '}}');
\Blade::setContentTags('{{{', '}}}');
\Blade::setEscapedContentTags('{{{', '}}}');

This should not be done lightly, and may make your application more vulnerable > to XSS exploits. Also, comments with {{-- will no longer work.

Community
  • 1
  • 1
Adam
  • 356
  • 4
  • 14
  • 1
    Thank you for the response Adam. Yes, {!! !!} should work correctly, but this is the problem - it does not. – Watercayman Feb 02 '17 at 18:30
  • Do you have a clear error message? The forms package was removed from Laravel in 5.0. You may need to install the Laravel Collectives package, they took over the work. https://laravelcollective.com/docs/5.0/html `"laravelcollective/html": "~5.0"` – Adam Feb 03 '17 at 14:27
  • Hi @Adam. No, there is no error. Everything else works fine. All other Form:: functions are working, including this one. It's just forcing an escape when it shouldn't be. The package is correct, and has been loaded as laravelcollective since they took over - it has been working fine. IE no change to code -- just broken after update to latest version of Laravel / Collective. I am wondering if anyone else can reproduce the issue in a Form::select with a symbol. – Watercayman Feb 03 '17 at 14:35
0

following this issue https://github.com/LaravelCollective/html/issues/296 and this commit https://github.com/LaravelCollective/html/pull/297/files?diff=split ,

i changed line 683, ("$this->html->escapeAll()" to "e()" )

before

return $this->toHtmlString('<optgroup label="' . $this->html->escapeAll($label) . '">' . implode('', $html) . '</optgroup>');

after 

return $this->toHtmlString('<optgroup label="' . e($label) . '">' . implode('', $html) . '</optgroup>');

it's worked for me, before the latest version be released.

Rikad Fauzi Alawi
  • 177
  • 1
  • 6
-1

Instead using 

{!! your code !!}

try using 

{{ your code }}

{!! !!} is used to displaying Unescaped Data. From the doc

Displaying Unescaped Data

By default, Blade {{ }} statements are automatically sent through PHP's htmlentities function to prevent XSS attacks. If you do not want your data to be escaped, you may use the following syntax:

Hello, {!! $name !!}.

Be very careful when echoing content that is supplied by users of your application. Always use the escaped, double curly brace syntax to prevent XSS attacks when displaying user supplied data.

Gayan
  • 3,614
  • 1
  • 27
  • 34
  • 1
    Thank you for the response @Gayan. Using {{ }} will not display the $, it will display the HTML symbol. The problem is that BOTH {{ }} AND {!! !!} are displaying the HTML symbol in the select box. This was never the case prior to 5.3.30. E.g. {!!   !!}} should display a space -- it does not now. – Watercayman Feb 02 '17 at 18:29