Summer Sale! All accounts are 50% off this week.

DeadCode's avatar

Blade Sandbox

Hi —

We want to allow our clients to be able to write their own emails that they can send to their users. How can we let them have access to a blade template but prevent code injection?

Thanks

0 likes
4 replies
gabrielbuzzi's avatar

don't need to create a blade file, just add in a database table the html code and them submit this html.

gabrielbuzzi's avatar

Laravel already deal with injections, so i thing you don't need to worry that too much.

DeadCode's avatar

@gabrielbuzzi Sorry for the long time not answering. It seems Laravel doesn't deal with them.

Don't forget I let the user write the template, and I need to remove any bad PHP.

>>> \Blade::compileString('<?php echo 1;')
=> "<?php echo 1;"
>>> \Blade::compileString('<?php echo 1; {{ $hi }}', ['hi' => 'NO'])
=> "<?php echo 1; {{ $hi }}"
>>> \Blade::compileString('<?php echo 1; {{ hi }}', ['hi' => 'NO'])
=> "<?php echo 1; {{ hi }}"
>>> \Blade::compileString('{{ $hi }}', ['hi' => 'NO'])
=> "<?php echo e($hi); ?>"

The string isn't sanitized from the <?php initially

Please or to participate in this conversation.