PHP in Blade templates

Blade is PHP.

@jlrdw so it is okey ? because I am coming from Twig world, where PHP is not allowed.

I am asking this, because I am worry about themes development for my project if they will be with Blade. Should I worry about dangerous code delivered by Themes Developers ?

See https://laravel.com/docs/7.x/blade#introduction and yes.

Look into the docs https://laravel.com/docs/7.x/blade#php

@php
    //
@endphp

While Blade provides this feature, using it frequently may be a signal that you have too much logic embedded within your template.

My worries are about running some not secure function, like file deletion or file updating and etc.. inside templates by Themes Developers.

Blade is usually dealing with looping through database results I don't see what a theme would have to do with it.

Updating and deleting does not go in the view that should be handled by controller and model, validation and proper authorization.

Used good well known templates don't use some template if it looks Riff Raff.

Why do you want to have this type of code in the blade?

In the blade just button for delete, then route with controller and inside controller method you delete a file in thic case.

for e.g. some Themes Dev provide a theme for the community with php code that for e.g. delete some important project folders or files or dropping database

So move that code from the blade templates to somewhere else.

@michaloravec

thanks for your answer, I will forward your recommendation for those guys who may drop the DB by adding this code in the templates, to do not do this.

I will hope, that with God Bless, They will not have to do something bad inside in Blade templates. I will pray for this.

@awilum I would hope we're all good enough developers to not randomly drop 3rd party html into our code bases and push it up to a remote host without checking it first.

@automica

My questions and worries are about such projects like CMS, in this world, anyone can create themes and provide them from any platform they want... so that's mean that anybody may download this theme and use it.

I don’t think laravel themes are of the same attack vector than say Wordpress modules.

To get a theme into laravel takes much more work to than a one click install.

The safest way is to not use any 3rd party themes. You could just as easily install a vulnerable vendor package though.

if users can create the content then don't equate this to blade files since in blade any php code can be inserted into the html and potentially give access to the whole server not just the database.

Use a templating system such as markdown and parse the content before inserting it into your blade view templates.