Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

aldiunanto's avatar

Laravel5's session always convert tags to HTML entity

This is enough to spend my times whereas I only need to store HTML tags in the session flashdata. Unlike L4, L5 always convert all of my tags to the HTML entity. This is my code :

return redirect('/')->with('login_fail', '<div class="notif error">Wrong NIK &amp; Password combination!</span>');

Same result here with static function

Session::flash('login_fail', '<div class="notif error">Wrong NIK &amp; Password combination!</span>');
return redirect('/');
0 likes
3 replies
mikebarwick's avatar
mikebarwick
11 years ago
Best Answer
Level 5

You mean you WANT L5 to convert your session value to an HTML entity? If so, wherever you're outputting the login_fail in your view, don't escape it:

Use:

{!! $login_fail !!}

Instead of

{{ $login_fail }}

Note, you have an opening div tag with a closing span tag as well FYI. Should prob fix that. ;)

One other option would be to flash two messages. One for the class and another for the message. Like so:

Session::flash('message', 'Wrong NIK & Password combination!'); 
Session::flash('alert-class', 'notif error'); 

@if(Session::has('message'))
    <p class="{{ Session::get('alert-class') }}">{{ Session::get('message') }}</p>
@endif

Maybe I don't understand your question though.

aldiunanto's avatar

Ouch sorry, I don't know how can I wrote a closing span, yes it should be </div>. I will fix it.

And great, by using {!! $login_fail !!} it works for me thanks! At first I thought L5 session caused this thing. I mean, they always convert tags into html entity.

&lt;div class=&quot;notif error&quot;&gt;&lt;p&gt;Wrong NIK &amp; Password combination!&lt;/p&gt;&lt;/div&gt;

... with {{ session('login_fail') }} for echoing my flashdata.

If so, what is the difference between

{!! $login_fail !!}

and

{{ $login_fail }}
mikebarwick's avatar

In short, escaping data prevents the string from being treated "as code". So in your case, we're saying it's okay for the server to render your string as a div. If it was escaped (i.e. {{ $login_fail }}), it'd be treated and displayed as plain text - not code. Google and read up on malicious SQL injections. Should give you a good idea on what escaping data is (not directly related to this, but same principles apply).

@aldiunanto If the answer solved your problem, please mark it as accepted.

Please or to participate in this conversation.