Recently I started using Laravel and found the {{}} function to be very useful since even though it is a JavaScript , it does not activate, other than echo in PHP .
I would like to know if you can do the same thing in PHP
Basic example:
<?php
echo "<script> alert(\"Hello! I am an alert box!!\");</script>";
?>
It will execute JavaScript , but in Laravel with {{}} it will show what is written, but without executing JavaScript >.
The Laravel blade turns {{ }} into a function internal call e() , which comes from escape .
The code this e() function is as follows:
function e($value, $doubleEncode = true)
{
if ($value instanceof Htmlable) {
return $value->toHtml();
}
return htmlspecialchars($value, ENT_QUOTES, 'UTF-8', $doubleEncode);
}
That is, using htmlspecialchars results in something similar.
The purpose of doing this is to avoid attacks where you inject codes to produce something unexpected in the application, such as malicious Javascripts.
Validating the inputs and outputs of your code, especially places where the user has the power to enter or edit data, is something that may go unnoticed but is very important for security.