What is the difference between {{ }} and {!! !!} in laravel blade files?

Question 1

In the laravel framework we can use blade to add PHP code in html file.
We are using both {{ }} and {!! !!} syntax in blade files of Laravel.
What is the difference between them?

Question 2

Blade {{ }} statements are automatically sent through PHP's htmlentities function to prevent XSS attacks.

If you pass data from your Controller to a View with some HTML styling like:

$first = "<b>Narendra Sisodia</b>";

And it is accessed, within Blade, with {{ $first }} then the output'll be:

<b>Narendra Sisodia</b>

But if it is accessed with {!! $first !!} then the output'll be:

Narendra Sisodia

Question 3

Solution 1: Let users fill the database column (after filtering the given code for any possible php codes) and save it into a 'master' file, from which the final view is being extended. User may use given codes for content replacement

//master.blade.php
<html>
<head>
<%token%>
</head>
<body>
<%content%>
...
<%scripts%>
</body>
</html>

In the above code, the <% content %>

should be replaced by

@yield('content')

before the actual view is processed.

//final.blade.php
@extends('layouts.master')
@section('content')
...
@endsection

So the controller, saves the database column content into master.blade.php and then calls the view('final') function as necessary.

//In Controller
//Save the contents of database column in master.blade.php
return view('final',$data);

But this is NOT a GOOD solution. File write operation for every request, cache problems, security issues (such as service side execution script injection) etc. An alternate to this is having a master for each user, created only when the user makes changes in the template column. Thus benefiting from lesser file write operations, but file overload on the server because a file for every user in the file-system.

Solution 2: Save the user's layout code into database column (no filtering necessary).

//In controller
$content = View::make('final',compact('data'));
$token = "<meta name='_token' content='" . csrf_token() ."'";
$scripts = View::make('final_scripts',compact('data'));

$view = str_replace_first("<%content%>", $content, $templateInDatabase);
$view = str_replace_first("<%token%>", $token, $view);
$view = str_replace_first("<%scripts%>", $scripts, $view);

return $view;

The user shall be made to include the three <%X%> tags in the template code. Benefits are no server side code execution, hence added security. Cache problems minimize as the final & final_scripts blade templates can be cached. But the string replacements add extra effort.

Question 4

Possible Change - 1

Setup Token on Header

Set the token on <head> of your default.blade.php view

<meta name="csrf-token" content="{{csrf_token()}}">

Add ajaxSetup on the top of your script, that will be accessible to everywhere. This will set headers on each ajax call

$.ajaxSetup({
    headers: {
        'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
    }
});

Set Token on <form> tag

Add below function to your <form> tag. This function will generate a hidden field named _token and filled value with token

{{csrf_field()}}

Add csrf_token() function to your hidden _token in value attribute. This will generate only encrypted string.

<input type="hidden" name="_token" value="{{csrf_token()}}"/>.

Possible Change - 2

Check session storage path & Permission

Here assume that project app url is APP_URL=http://project.dev/ts/toys-store

Set the write permission to storage_path('framework/sessions')
Check the path of your laravel project 'path' => '/ts/toys-store', this path is root of your laravel project.

Change the name of your cookie 'cookie' => 'toys-store',

return [
    'driver' => env('SESSION_DRIVER', 'file'),
    'lifetime' => 120,
    'expire_on_close' => false,
    'encrypt' => false,
    'files' => storage_path('framework/sessions'),
    'connection' => null,
    'table' => 'sessions',
    'lottery' => [2, 100],
    'cookie' => 'toys-store',
    'path' => '/ts/toys-store',
    'domain' => null,
    'secure' => false,
    'http_only' => true,
];

Possible Change - 3

Use _token field on AJAX

There are many ways to send _token on AJAX call

Get all input field's value within <form> tag using var formData = new FormData($("#cart-add")[0]);
Use $("#cart-add").serialize(); or $("#cart-add").serializeArray();
Add _token manually on data of AJAX. using $('meta[name="csrf-token"]').attr('content') or $('input[name="_token"]').val().

We can set as header on a particular ajax call like below code.

$.ajax({
    url: "path/to/ajax",
    type: "POST",
    data: formData,
    processData: false,
    contentType: false,
    dataType: "json",
    headers: {
        'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
    }
});

Question 5

"for each...in" iterates a specified variable over all values of the specified object's properties.

Example:

var sum = 0;
var obj = {prop1: 5, prop2: 13, prop3: 8};
for each (var item in obj) {
  sum += item;
}
print(sum); // prints "26", which is 5+13+8

Source

"for...in" iterates a specified variable over all properties of an object, in arbitrary order.

Example:

function show_props(obj, objName) {
   var result = "";
   for (var i in obj) {
      result += objName + "." + i + " = " + obj[i] + "n";
   }
   return result;
}

Source

Note 03.2013, for each... in loops are deprecated. The 'new' syntax recommended by MDN is for... of.

Question 6

{!! !!} will escape your data.

A good use for this would be, for example, making your links clickable.

So if $data = "www.google.com";, for example,

{{ $data }} is not clickable.

{!! $data !!} will be clickable.

What is the difference between {{ }} and {!! !!} in laravel blade files?

Answers

php,laravel,laravel-5.2,laravel-blade