Viewed   113 times

In the laravel framework we can use blade to add PHP code in html file.
We are using both {{ }} and {!! !!} syntax in blade files of Laravel.
What is the difference between them?



Blade {{ }} statements are automatically sent through PHP's htmlentities function to prevent XSS attacks.

If you pass data from your Controller to a View with some HTML styling like:

$first = "<b>Narendra Sisodia</b>";

And it is accessed, within Blade, with {{ $first }} then the output'll be:

<b>Narendra Sisodia</b>

But if it is accessed with {!! $first !!} then the output'll be:

Narendra Sisodia

Thursday, November 17, 2022

Solution 1: Let users fill the database column (after filtering the given code for any possible php codes) and save it into a 'master' file, from which the final view is being extended. User may use given codes for content replacement


In the above code, the <% content %>

should be replaced by


before the actual view is processed.


So the controller, saves the database column content into master.blade.php and then calls the view('final') function as necessary.

//In Controller
//Save the contents of database column in master.blade.php
return view('final',$data);

But this is NOT a GOOD solution. File write operation for every request, cache problems, security issues (such as service side execution script injection) etc. An alternate to this is having a master for each user, created only when the user makes changes in the template column. Thus benefiting from lesser file write operations, but file overload on the server because a file for every user in the file-system.

Solution 2: Save the user's layout code into database column (no filtering necessary).

//In controller
$content = View::make('final',compact('data'));
$token = "<meta name='_token' content='" . csrf_token() ."'";
$scripts = View::make('final_scripts',compact('data'));

$view = str_replace_first("<%content%>", $content, $templateInDatabase);
$view = str_replace_first("<%token%>", $token, $view);
$view = str_replace_first("<%scripts%>", $scripts, $view);

return $view;

The user shall be made to include the three <%X%> tags in the template code. Benefits are no server side code execution, hence added security. Cache problems minimize as the final & final_scripts blade templates can be cached. But the string replacements add extra effort.

Saturday, September 10, 2022

Possible Change - 1

Setup Token on Header

Set the token on <head> of your default.blade.php view

<meta name="csrf-token" content="{{csrf_token()}}">

Add ajaxSetup on the top of your script, that will be accessible to everywhere. This will set headers on each ajax call

    headers: {
        'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')

Set Token on <form> tag

Add below function to your <form> tag. This function will generate a hidden field named _token and filled value with token


Add csrf_token() function to your hidden _token in value attribute. This will generate only encrypted string.

<input type="hidden" name="_token" value="{{csrf_token()}}"/>.

Possible Change - 2

Check session storage path & Permission

Here assume that project app url is APP_URL=

  1. Set the write permission to storage_path('framework/sessions')
  2. Check the path of your laravel project 'path' => '/ts/toys-store', this path is root of your laravel project.
  3. Change the name of your cookie 'cookie' => 'toys-store',

    return [
        'driver' => env('SESSION_DRIVER', 'file'),
        'lifetime' => 120,
        'expire_on_close' => false,
        'encrypt' => false,
        'files' => storage_path('framework/sessions'),
        'connection' => null,
        'table' => 'sessions',
        'lottery' => [2, 100],
        'cookie' => 'toys-store',
        'path' => '/ts/toys-store',
        'domain' => null,
        'secure' => false,
        'http_only' => true,

Possible Change - 3

Use _token field on AJAX

There are many ways to send _token on AJAX call

  1. Get all input field's value within <form> tag using var formData = new FormData($("#cart-add")[0]);
  2. Use $("#cart-add").serialize(); or $("#cart-add").serializeArray();
  3. Add _token manually on data of AJAX. using $('meta[name="csrf-token"]').attr('content') or $('input[name="_token"]').val().
  4. We can set as header on a particular ajax call like below code.

        url: "path/to/ajax",
        type: "POST",
        data: formData,
        processData: false,
        contentType: false,
        dataType: "json",
        headers: {
            'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
Sunday, September 25, 2022

"for" iterates a specified variable over all values of the specified object's properties.


var sum = 0;
var obj = {prop1: 5, prop2: 13, prop3: 8};
for each (var item in obj) {
  sum += item;
print(sum); // prints "26", which is 5+13+8


"" iterates a specified variable over all properties of an object, in arbitrary order.


function show_props(obj, objName) {
   var result = "";
   for (var i in obj) {
      result += objName + "." + i + " = " + obj[i] + "n";
   return result;


Note 03.2013, for each... in loops are deprecated. The 'new' syntax recommended by MDN is for... of.

Friday, December 16, 2022

{!! !!} will escape your data.

A good use for this would be, for example, making your links clickable.

So if $data = "";, for example,

{{ $data }} is not clickable.

{!! $data !!} will be clickable.

Wednesday, August 17, 2022
Only authorized users can answer the search term. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :