Blade Sandbox Hi —
We want to allow our clients to be able to write their own emails that they can send to their users. How can we let them have access to a blade template but prevent code injection?
Thanks
don't need to create a blade file, just add in a database table the html code and them submit this html.
Laravel already deal with injections, so i thing you don't need to worry that too much.
@gabrielbuzzi Sorry for the long time not answering. It seems Laravel doesn't deal with them.
Don't forget I let the user write the template, and I need to remove any bad PHP.
>>> \Blade::compileString('<?php echo 1;')
=> "<?php echo 1;"
>>> \Blade::compileString('<?php echo 1; {{ $hi }}', ['hi' => 'NO'])
=> "<?php echo 1; {{ $hi }}"
>>> \Blade::compileString('<?php echo 1; {{ hi }}', ['hi' => 'NO'])
=> "<?php echo 1; {{ hi }}"
>>> \Blade::compileString('{{ $hi }}', ['hi' => 'NO'])
=> "<?php echo e($hi); ?>"
The string isn't sanitized from the <?php initially
Please sign in or create an account to participate in this conversation.