How do I prevent @ from escaping {{}} content in blade

hi @mrkarma4ya

You could try

User: {{ '@' . $user->name }}

you could try {!! '@'.$user->name !!}

Never do what @lindie2669 suggests since it creates an XSS vulnerability

You could also use the html entity

@{{ $user->name }}

Thanks, looks like that'll do.

Could you explain the xss vulnerability with @lindie2669's suggestion? Just trying to learn a bit.

XSS is someone embedding unwanted scripts in user provided data

https://owasp.org/www-community/attacks/xss/

Suppose I could add <script> tags into my username. When another user sees a screen that includes a list of users (eg posts on this page), then that script tag could be running in the browser. So now the attacker can pretend to be another unsuspecting user. This could for instance allow someone to post comments as that user (or worse)

Laravel protects against XSS by escaping html tags when outputting strings IF you use the {{ }} blade tags.

On the otherhand, if you use {!! !!} then the content of the username field is echoed to the browser in its raw format with no escaping.

What is worse in this case is that {!! '@'.$user->name !!} is no different to {{ '@' . $user->name }} except that it exposes you to XSS attacks.

@snapey

Ah, I thought you meant the vulnerability was with putting the @ inside curly braces.

So doing {{'@'.$user->name}} should be safe, right?

Yep. Nothing wrong with that.