sutherland

You don't have to use the default js file at all. If you're using Bootstrap and that's the only javascript you need, just remove app.js and load jQuery and Bootstrap from a CDN.

Poke

This code?!

<body>
    <!---->

    <!-- Scripts -->
    <script src="http://127.0.0.1:8000/js/app.js"></script>
    

</body>

Or do you mean the {{ Auth::user()->name }}?

Because the {{ Auth::user()->name }} is getting transformed into the users name, it will spit out their name escaped, but since Vue then takes it and reads the curly brackets then it breaks.

That's at least how I understand it.

Poke

@sutherland Thank you very much, this fixed my issue. But still weird that the default js file has Vue, and that the default way of showing a logged in username is in a way that breaks the website.

Snapey
Snapey
1 month ago (683,015 XP)

if you get this {{ Auth::user()->name }} in your html output then it is either data from user input, or you are not putting .blade. in your view template names

Poke

@Snapey as I just said, I do not :)

Snapey
Snapey
1 month ago (683,015 XP)

you still misunderstand

Because the {{ Auth::user()->name }} is getting transformed into the users name, it will spit out their name escaped, but since Vue then takes it and reads the curly brackets then it breaks.

if you put {{ Auth::user()->name }} in a blade template then it is processed by blade and completely replaced by the user's name. This html is sent to the browser and does not contain any curly braces that might be seen by vue.

if, on the other hand data contains a string with curly braces then it will be passed in the view to the client, and will be seen by Vue

Poke

@Snapey I understood you. And as you say "if". And it was what happen, a user created a username with a curly bracket.

sutherland

@Snapey I think you still misunderstand. He doesn't have that in his HTML output, it's in the default auth scaffolding. His report is about user inputted data, which we already established.

Snapey
Snapey
1 month ago (683,015 XP)

@sutherland

no, I know what is happening as mentioned several posts ago, and also that Auth::user()->name is totally irrelevant

it's just striking that a 'user' managed to set their user name to a common and valid Laravel snippet.

I was trying to establish that the OP had not stumbled on this issue because he was not parsing blade correctly and ending up with blade tags in the html output

I remain concerned that a malicious user could cause unwanted vue behaviour in another user's browser. As you said earlier, user submitted content should be excluded by using the v-pre prop... but I wonder how many devs know that?

Poke

@Snapey well, this is default behavior from the auth scaffolding in Laravel. That's why I thought it was safe, I have now removed Vue, and it works perfect!

sutherland

@Snapey I've already submitted a PR. Since the with scaffolding will only ever display the current user, I don't think it's a big issue but it definitely should be added to set a good example.

Poke

@sutherland can you link to it? :)

sutherland
sadiss

Dont allow anything but a-z0-9 for a username. Why you allowing them to write {{}} $ ?

Snapey
Snapey
1 month ago (683,015 XP)

@sadis if you use the provided scaffolding, that's what you get. @sutherland made a pr to fix but taylor just shut it down without thinking about it... very poor IMO

Please sign in or create an account to participate in this conversation.