这个 Blade 卫生是否正常工作(双花括号与三花括号)?

Is this Blade sanitation working correctly (double vs triple curly braces)?

很抱歉,这很可能是我自己的误解,而不是实际存在的问题。我对 Laravel 和 Blade 模板相当陌生,我正在尝试输出从 Input::get 中获取的一些字段。但是,当我通过双花括号和三花括号输出字段时,输出之间似乎没有区别。

以下是我的观点的摘录:

@ $data = Input::only('name', 'date');

{{ "Unfiltered input: ".$data['name'] }}

<br />

{{{ "Filtered input: ".$data['name'] }}}

但是,当我提供带有特殊字符或代码的输入并查看呈现页面的源代码时,我看到为两者呈现的相同、未过滤的输入。

根据 Laravel documentation, I want to strictly use the {{{ }}} when outputting to a View, but I don't see it actually being "escaped or purified". I haven't quite gotten to setting up the Validation,我认为这是安全和卫生的主要冲击,对吗?但是现在只关注这个,我是不是误解了三重花括号应该做什么?还是他们在幕后工作,而我只是没有看到最终结果?像这样输出用户输入时,我还应该做些什么吗(除了设置验证层)?

Laravel 4

双花括号和三花括号之间的唯一区别是三花括号通过 e() 辅助函数运行值,这只是 PHP htmlentities 函数的快捷方式。

{{ "Unfiltered input: ".$data['name'] }}
{{{ "Filtered input: ".$data['name'] }}}

编译成:

<?php echo "Unfiltered input: ".$data['name']; ?>
<?php echo e("Filtered input: ".$data['name']); ?>

但是,所有这些都发生在输出上。它与清理输入没有任何关系。

Laravel 5

在 Laravel 5 中,Blade 语法已更改,双花括号 ({{ }}) 将转义输出,新的花括号双感叹号语法 ({!! !!}) 将不转义输出。

所以,

{{ "Filtered input: ".$data['name'] }}
{!! "Unfiltered input: ".$data['name'] !!}

编译成:

<?php echo e("Filtered input: ".$data['name']); ?>
<?php echo "Unfiltered input: ".$data['name']; ?>

除了已接受的答案之外,值得一提的是,从 Laravel 5 开始,{{ }}{{{ }}}

的工作方式相同

https://laravel.com/docs/5.2/upgrade#upgrade-5.0

直接引用:

For better security by default, Laravel 5.0 escapes all output from both the {{ }} and {{{ }}} Blade directives. A new {!! !!} directive has been introduced to display raw, unescaped output. The most secure option when upgrading your application is to only use the new {!! !!} directive when you are certain that it is safe to display raw output.

However, if you must use the old Blade syntax, add the following lines at the bottom of AppServiceProvider@register:

\Blade::setRawTags('{{', '}}'); \Blade::setContentTags('{{{', '}}}'); \Blade::setEscapedContentTags('{{{', '}}}');

This should not be done lightly, and may make your application more vulnerable to XSS exploits. Also, comments with {{-- will no longer work.