在Laravel Collective中使用双花括号 [英] Using double curly brace in Laravel Collective

问题描述

我正在尝试创建可像这样创建用户的表单，并且该表单还将用于通过表单模型绑定来显示数据:

I'm trying to create form that create users like this and this form will be use for displaying data also using Form Model Binding:

{{ Form::open(['url' => 'admin/users/create']) }}

    <div class="form-group">
        {{ Form::label('first_name', 'First Name : ') }}
        {{ Form::text('first_name', null, ['class' => 'form-control']) }}
    </div>

    <div class="form-group">
        {{ Form::label('last_name', 'Last Name : ') }}
        {{ Form::text('last_name', null, ['class' => 'form-control']) }}
    </div>

{{ Form::close() }}

但是它显示的是代码而不是实际视图，因此我在浏览器中看到的是该代码:

however it showing the code not the actual view, so I see in my browser this code :

<form method="POST" action="http://localhost:8000/admin/users/create" accept-charset="UTF-8">

    <input name="_token" type="hidden" value="X5MA46MJctYOYeMtZF1RoQKYmWDtAbsSoxwoOA8Y">

    <label for="first_name">First Name : </label> 
    <input class="form-control" name="first_name" type="text" id="first_name">

    <label for="last_name">Last Name : </label> 
    <input class="form-control" name="last_name" type="text" id="last_name">

</form>

，但是当尝试使用{!! !!}作为左括号和右括号时，代码将起作用并显示实际视图.

but when trying to using {!! !!} as the open and close brackets, the code works and showing the actual view.

我仍然不明白为什么不能使用 laravel-collective将{{ }}用作括号，如果您看到此 项目 就可以了.

I'm still dont understand why I can't use {{ }} as my bracket using laravel-collective and if you see this Project it's work fine.

也有点害怕XSS攻击，就像 laravel文档在本节中说的那样显示未转义的数据:

Also kinda afraid of XSS attack just like laravel documentation said on the section Displaying Unescaped Data:

注意:回显用户提供的内容时要非常小心 您的应用程序.始终使用双花括号语法来 转义内容中的所有HTML实体.

Note: Be very careful when echoing content that is supplied by users of your application. Always use the double curly brace syntax to escape any HTML entities in the content.

对此有任何有用的解释吗?谢谢

any helpful explanation on this? thank you

注意:我正在使用 Laravel 5.1.40(LTS)

推荐答案

因为{{}}用于转义HTML实体，以防止XSS攻击从服务器/数据库中显示您的输入.

Because {{ }} is used for escaping HTML entities to prevent XSS attacks for your input being displayed from your server/database.

因此，如果有人在您的数据库中插入了恶意代码，则该用户将无法执行该恶意代码，而只是在屏幕上打印出来.像这样

so if someone had inserted a malicious code in your database then it would not be executable for a user and instead just print out on the screen. like so

$dbValue = "<script> Some evil code </script>";

{{ $dbValue }}

它将以此输出

<script> Some evil code </script>

由于Laravel Collective HTML FORM正在生成HTML以供显示，因此您必须使用{!! !!}以防止逃跑.

And because Laravel Collective HTML FORM IS generating HTML for you to display then you have to use {!! !!} to prevent escaping.

{!! "<b>Bold Text</b>" !!}

然后它将输出

粗体

对于生成HTML来说很好，但是您必须注意将值发送到服务器并向用户显示.在这里，您始终必须使用{{}}

For generating HTML it's fine but you've to be careful about your values being sent to your server and being displayed out to a user. There you'll always have to escape your data with {{ }}

这篇关于在Laravel Collective中使用双花括号的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！