84

I'm building a small CMS in Laravel and I tried to show the content (which is stored in the DB). It is showing the HTML tags instead of executing them. Its like there is an auto html_entity_decode for all printed data.

<?php

class CmsController extends BaseController
{
    public function Content($name)
    {    
        $data = Pages::where('CID', '=', Config::get('company.CID'))
            ->where('page_name', '=', $name)
            ->first();

        return View::make('cms.page')->with('content', $data);
    }
}

I tried to print the content using the curly brace.

{{ $content->page_desc }}

and triple curly brace.

{{{ $content->page_desc }}}

And they give the same result. I need to execute those HTML tags instead of escaping them.

Improve this question
8
  • 1
    In latest version ver-5.0 {{...}} and {{{...}}} both does this, what version do you have exactly ? Commented Sep 24, 2014 at 18:22
  • im using version 4.2 Commented Sep 24, 2014 at 18:24
  • Then I'm not sure why {{...}} gives escaped result! Commented Sep 24, 2014 at 18:26
  • 17
    In v-5, use {!! !!} for normal output (without esc). Commented Sep 24, 2014 at 18:30
  • Are they stored as "tags" or already escaped in the db? Because else I would see it like The Alpha, this should only be the case in v5 of laravel Commented Sep 24, 2014 at 18:34

7 Answers 7

Reset to default
196

Change your syntax from {{ }} to {!! !!}.

As The Alpha said in a comment above (not an answer so I thought I'd post), in Laravel 5, the {{ }} (previously non-escaped output syntax) has changed to {!! !!}. Replace {{ }} with {!! !!} and it should work.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Solved in my case!
worked like magic. Thanks!! Though I don't know why html_entity_decode didn't work.
@IvanTopolcic is there a way to extract the html coming back from an @yield('content') blade directive?
This is documented at laravel.com/docs/8.x/blade
19

use this tag {!! description text !!}

Improve this answer

2 Comments

This answer worked for my in Laravel 5.2. In the course of working on the problem, I also discovered that Illuminate/Support/helpers.php::529 runs htmlentities() if you don't use this syntax: {!! !!}.
Still works in Laravel 7 ...
9

I had the same issue. Thanks for the answers above, I solved my issue. If there are people facing the same problem, here is two way to solve it:

  • You can use {!! $news->body !!}
  • You can use traditional php openning (It is not recommended) like: <?php echo $string ?>

I hope it helps.

Improve this answer

1 Comment

is there a way to extract the html coming back from an @yield('content') blade directive?
7

Include the content in {! <content> !} .

Improve this answer

Comments

2

There is no problem with displaying HTML code in blade templates.

For test, you can add to routes.php only one route:

Route::get('/', function () {

        $data = new stdClass();
        $data->page_desc
            = '<strong>aaa</strong><em>bbb</em>
               <p>New paragaph</p><script>alert("Hello");</script>';

        return View::make('hello')->with('content', $data);
    }
);

and in hello.blade.php file:

<!doctype html>
<html lang="en">
<head>
    <meta charset="UTF-8">
</head>
<body>

{{ $content->page_desc }}

</body>
</html>

For the following code you will get output as on image

Output

So probably page_desc in your case is not what you expect. But as you see it can be potential dangerous if someone uses for example '` tag so you should probably in your route before assigning to blade template filter some tags

EDIT

I've also tested it with putting the same code into database:

Route::get('/', function () {

        $data = User::where('id','=',1)->first();

        return View::make('hello')->with('content', $data);
    }
);

Output is exactly the same in this case

Edit2

I also don't know if Pages is your model or it's a vendor model. For example it can have accessor inside:

public function getPageDescAttribute($value)
{
    return htmlspecialchars($value);
}

and then when you get page_desc attribute you will get modified page_desc with htmlspecialchars. So if you are sure that data in database is with raw html (not escaped) you should look at this Pages class

Improve this answer

Comments

1

This worked for me in Laravel 10

{!! $blog->description !!}
Improve this answer

1 Comment

Those tags will output what the user entered data saved to the database. This could include anything. Consider passing it through an HTML filter or purifier.
-4

{{html_entity_decode ($post->content())}} saved the issue for me with Laravel 4.0. Now My HTML content is interpreted as it should.

Improve this answer

2 Comments

Yes, this solution actually works for laravel 4 - maybe someone know better solution for L4?
Since we are using laravel we should use {!! !!} which follows the Laravel syntax.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.