Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

peeter's avatar

Blade {{ }} statements are NOT sent through PHP's htmlspecialchars

Hello, Why is this not working? It does not escape the HTML special characters anywhere. I would have to manually include the php function to make it work. For example:

{{ htmlspecialchars($image->title) }}

Is it possible that I have accidentally globally disabled the curly braces functionality so it doesn't escape the characters? Is there any way to check if it's disabled and how to enable it?

Thanks

0 likes
9 replies
LaryAI's avatar
LaryAI
AI
3 years ago
Level 58

The Blade {{ }} statements are automatically escaped by Laravel to prevent XSS attacks. However, if you want to output unescaped content, you can use the {!! !!} syntax instead. For example:

<p>{!! $image->title !!}</p>

This will output the title without escaping any HTML special characters. It's important to note that you should only use this syntax if you trust the content being outputted, as it can be a security risk.

MohamedTammam's avatar

It escape them just if you do {{ }}, just make sure you're using blade.php extension in you files.

Snapey's avatar

not sure why you thought you need to also use htmlspecialchars?

htmlspecialchars('<script>')

produces

&lt;script&gt;

which is already escaped, so {{ }} will output exactly the same string

kokoshneta's avatar

@Snapey That is, {{ htmlspecialchars('<script>') }} will double-encode the string and output

&amp;lt;script&amp;gt;
1 like
peeter's avatar

Sorry I just looked more into it and found some new info that might help.

Here is my exact code that is written in my blade file:

<a data-lg-size="1600-1308" data-sub-html="<h4>{{ $image->title }} </h4>">
<img src="image.jpeg">
</a>

$image->title value is <IMG SRC=# onmouseover="alert('asdsad')">

When viewing the page, inspecting the element (in Chrome), choosing "Edit as HTML" this is the output:

<a data-lg-size="1600-1308" data-sub-html="<h4><IMG SRC=# onmouseover=&quot;alert('asdsad')&quot;> </h4>">
<img src="image.jpeg">
</a>

When viewing page source (in browser), it shows this:

<a data-lg-size="1600-1308" data-sub-html="<h4>&lt;IMG SRC=# onmouseover=&quot;alert(&#039;asdsad&#039;)&quot;&gt; </h4>">
<img src="image.jpeg">
</a>

Probably the javascript (a gallery plugin) converts the escaped characters back to HTML when the image is clicked?? The alert box appears when hovering the "sub-html".

I get the best result when I use data-sub-html="<h4>{{ htmlspecialchars($image->title) }} Here is the page source then and no alert box appears when viewing the page:

data-sub-html="<h4>&amp;lt;IMG SRC=# onmouseover=&amp;quot;alert(&amp;#039;asdsad&amp;#039;)&amp;quot;&amp;gt;</h4>"

So, why didn't {{ }} fix the issue? Seems like Laravel has a bug.

peeter's avatar

@Snapey data-sub-html is just some html that is displayed below the image when the image thumbnail is clicked on. It is a javascript gallery plugin.

Please or to participate in this conversation.