Displaying HTML with Blade shows the HTML code

Question

I have a string returned to one of my views, like this:

$text = '<p><strong>Lorem</strong> ipsum dolor <img src="images/test.jpg"></p>'

I'm trying to display it with Blade:

{{$text}}

However, the output is a raw string instead of rendered HTML. How do I display HTML with Blade in Laravel?

PS. PHP echo() displays the HTML correctly.

```{!! nl2br($post->description) !!}``` works for me if I have only spaces and br. — Muhammad Shahzad, Sep 02 '19 at 13:53
The alternative I just provided is better than using {!! !!}, this is not very secure with third party html — Macedo_Montalvão, Sep 29 '20 at 11:05
For Laravel 8 working: ```{!! html_entity_decode($content_from_db) !!}``` — Muhammad Shahzad, Dec 09 '21 at 10:14
@MuhammadShahzad answer works well. Tested on Laravel 9 after searching for a solution for a while. Thank you. — Victor Okech, Nov 17 '22 at 07:37

score 936 · Accepted Answer · edited Dec 25 '18 at 05:50

936

You need to use

{!! $text !!}

The string will auto escape when using {{ $text }}.

edited Dec 25 '18 at 05:50

Chad

1,531
3
20
46

answered Mar 25 '15 at 11:09

terry low

10,218
1
14
12

8

Here are the Laravel docs that mention this: "If you do not want your data to be escaped, you may use the following syntax: `Hello, {!! $name !!}.`" https://laravel.com/docs/5.5/blade#displaying-data – Ryan Oct 31 '17 at 22:08
2

I am also wondering about what @Ryan mentioned. Is this not a security issue? – sanders Apr 27 '18 at 14:14
@sanders It quite likely is a security issue if `$text` contains user input and you did not escape this properly. For example, `$text = 'Hello '.$_GET['name'].'';` is dangerous because `$_GET['name']` could include HTML, which would allow XSS. You could do `$text = 'Hello '.htmlentities($_GET['name']).'';` and would be safe. – Christopher K. May 14 '18 at 09:28
this dose not do the whole trick! if I had something like `` and I wanna show it in blade, It will look like this ``. So the answer for me is @Praveen_Dabral 's – Siempay Aug 15 '18 at 10:21
This prints out the content 3 times (duplicate), any idea? – Naser Nikzad Aug 16 '20 at 13:16
This little things are golden knowledge!! – Zahit Rios Sep 17 '20 at 00:25
Because it's neither pointed out in this answer nor the comments: Apply caution to this syntax and **do not use it as your default way to output content in templates**! The exclamation marks are intentionally chosen to draw attention to the fact that you could become susceptible to [XSS attacks](https://owasp.org/www-community/attacks/xss/) - especially when you output any strings provided by users (even when you don't expect them to contain markup) – gekkedev Oct 11 '21 at 11:03

score 83 · Answer 2 · edited Jul 18 '17 at 11:16

83

For laravel 5

{!!html_entity_decode($text)!!}

Figured out through this link, see RachidLaasri answer

edited Jul 18 '17 at 11:16

Thamilhan

13,040
5
37
59

answered Sep 25 '15 at 10:42

Praveen Dabral

2,449
4
32
46

1

Thanks..its working..{!! html_entity_decode($data) !!} – Diptesh Atha Apr 06 '17 at 07:29
This provides exactly the same result as the accepted answer, for the data given in the question. The only case where it would behave differently is if there were HTML entities in `$text`. – miken32 Jun 02 '21 at 20:19

score 54 · Answer 3 · edited Jan 12 '18 at 01:32

54

You can try this:

{!! $text !!}

You should have a look at: http://laravel.com/docs/5.0/upgrade#upgrade-5.0

edited Jan 12 '18 at 01:32

Pang

9,564
146
81
122

answered Mar 25 '15 at 11:12

rap-2-h

30,204
37
167
263

score 33 · Answer 4 · edited Jan 11 '18 at 21:17

33

Please use

{!! $test !!}

Only in case of HTML while if you want to render data, sting etc. use

{{ $test }}

This is because when your blade file is compiled

{{ $test }} is converted to <?php echo e($test) ?> while

{!! $test !!} is converted to <?php echo $test ?>

edited Jan 11 '18 at 21:17

Arash Hatami

5,297
5
39
59

answered Mar 02 '17 at 06:38

Shubham Bansal

586
6
7

score 25 · Answer 5 · answered Apr 01 '17 at 12:52

There is another way. If object purpose is to render html you can implement \Illuminate\Contracts\Support\Htmlable contract that has toHtml() method.

Then you can render that object from blade like this: {{ $someObject }} (note, no need for {!! !!} syntax).

Also if you want to return html property and you know it will be html, use \Illuminate\Support\HtmlString class like this:

public function getProductDescription()
{
    return new HtmlString($this->description);
}

and then use it like {{ $product->getProductDescription() }}.

Of course be responsible when directly rendering raw html on page.

Returning HTML from a Form field Macro, this is exactly the right solution. Return the HTML string from the function, using this method, and call the Macro within your Blade template. +1 — absolute, Mar 03 '23 at 13:34

score 24 · Answer 6 · answered Oct 21 '21 at 08:07

24

When your data contains HTML tags then use

{!! $text !!}

When your data doesn't contain HTML tags then use

{{ $text }}

answered Oct 21 '21 at 08:07

Assad Yaqoob

792
1
6
16

score 14 · Answer 7 · answered Dec 05 '15 at 13:13

14

Try this. It worked for me.

{{ html_entity_decode($text) }}

In Laravel Blade template, {{ }} wil escape html. If you want to display html from controller in view, decode html from string.

answered Dec 05 '15 at 13:13

Mohammed Safeer

20,751
8
75
78

3

this is not right is above answers it could be done in your way it just confusing the porgrammer – Milad May 31 '18 at 09:21

score 10 · Answer 8 · answered Oct 24 '18 at 11:23

You can do that using three ways first use if condition like below

{!! $text !!}

The is Second way

<td class="nowrap">
@if( $order->status == '0' )
    <button class="btn btn-danger">Inactive</button>
@else
    <button class="btn btn-success">Active</button>
@endif
</td>

The third and proper way for use ternary operator on blade

<td class="nowrap">
      {!! $order->status=='0' ? 
          '<button class="btn btn-danger">Inactive</button> : 
          '<button class="btn btn-success">Active</button> !!}
</td>

I hope the third way is perfect for used ternary operator on blade.

score 10 · Answer 9 · answered Dec 28 '18 at 20:17

10

you can do with many ways in laravel 5..

{!! $text !!}

{!! html_entity_decode($text) !!}

answered Dec 28 '18 at 20:17

Jignesh Joisar

13,720
5
57
57

if you store encoded tags (<p>hello world.</p>) in db above code works...Thanks!!! – narasimharaosp Jan 16 '19 at 01:14

Nathan · Answer 10 · 2020-04-25T03:12:26.090

To add further explanation, code inside Blade {{ }} statements are automatically passed through the htmlspecialchars() function that php provides. This function takes in a string and will find all reserved characters that HTML uses. Reserved characters are & < > and ". It will then replace these reserved characters with their HTML entity variant. Which are the following:

|---------------------|------------------|
|      Character      |       Entity     |
|---------------------|------------------|
|          &          |       &amp;      |
|---------------------|------------------|
|          <          |       &lt;       |
|---------------------|------------------|
|          >          |       &gt;       |
|---------------------|------------------|
|          "          |       &quot;     |
|---------------------|------------------|

For example, assume we have the following php statement:

$hello = "<b>Hello</b>";

Passed into blade as {{ $hello }} would yield the literal string you passed:

<b>Hello</b>

Under the hood, it would actually echo as <b>Hello<b&gt

If we wanted to bypass this and actually render it as a bold tag, we escape the htmlspecialchars() function by adding the escape syntax blade provides:

{!! $hello !!}

Note that we only use one curly brace.

The output of the above would yield:

Hello

We could also utilise another handy function that php provides, which is the html_entity_decode() function. This will convert HTML entities to their respected HTML characters. Think of it as the reverse of htmlspecialchars()

For example say we have the following php statement:

$hello = "&lt;b&gt; Hello &lt;b&gt;";

We could now add this function to our escaped blade statement:

{!! html_entity_decode($hello) !!}

This will take the HTML entity < and parse it as HTML code <, not just a string.

The same will apply with the greater than entity >

which would yield

Hello

The whole point of escaping in the first place is to avoid XSS attacks. So be very careful when using escape syntax, especially if users in your application are providing the HTML themselves, they could inject their own code as they please.

score 7 · Answer 11 · answered Mar 28 '18 at 06:43

7

Use {!! $text !!}to display data without escaping it. Just be sure that you don’t do this with data that came from the user and has not been cleaned.

answered Mar 28 '18 at 06:43

Patrick Luy

228
4
8

score 7 · Answer 12 · answered Feb 12 '21 at 18:56

By default, Blade {{ }} statements are automatically sent through PHP's htmlspecialchars function to prevent XSS attacks. If you do not want your data to be escaped, you may use the following syntax:

According to the doc, you must do the following to render your html in your Blade files:

{!! $text !!}

Be very careful when echoing content that is supplied by users of your application. You should typically use the escaped, double curly brace syntax to prevent XSS attacks when displaying user supplied data.

score 6 · Answer 13 · answered Mar 29 '18 at 08:20

6

This works fine for Laravel 5.6

<?php echo "$text"; ?>

In a different way

{!! $text !!}

It will not render HTML code and print as a string.

For more details open link:- Display HTML with Blade

answered Mar 29 '18 at 08:20

Udhav Sarvaiya

9,380
13
53
64

score 5 · Answer 14 · edited Apr 19 '17 at 10:33

If you want to escape the data use

{{ $html }}

If don't want to escape the data use

{!! $html !!}

But till Laravel-4 you can use

{{ HTML::link('/auth/logout', 'Sign Out', array('class' => 'btn btn-default btn-flat')) }}

When comes to Laravel-5

{!! HTML::link('/auth/logout', 'Sign Out', array('class' => 'btn btn-default btn-flat')) !!}

You can also do this with the PHP function

{{ html_entity_decode($data) }}

go through the PHP document for the parameters of this function

html_entity_decode - php.net

score 1 · Answer 15 · edited Mar 07 '19 at 08:34

1

Try this, It's worked:

@php 
   echo $text; 
@endphp

edited Mar 07 '19 at 08:34

Udhav Sarvaiya

9,380
13
53
64

answered Jan 23 '19 at 12:11

ShuBham GuPta

194
2
9

score 0 · Answer 16 · answered Jun 28 '18 at 08:14

0

For who using tinymce and markup within textarea:

{{ htmlspecialchars($text) }}

answered Jun 28 '18 at 08:14

Hung

459
5
15

Vinay Kaithwas · Answer 17 · 2020-07-14T09:20:27.107

0

On controller.

$your_variable = '';
$your_variable .= '<p>Hello world</p>';

return view('viewname')->with('your_variable', $your_variable)

If you do not want your data to be escaped, you may use the following syntax:

{!! $your_variable !!}

Output

Hello world

edited Jul 14 '20 at 09:20

answered Jul 14 '20 at 07:51

Vinay Kaithwas

1,415
10
17

score 0 · Answer 18 · answered Dec 15 '21 at 08:47

0

{!! !!} is not safe.

Read here: https://laravel.com/docs/5.6/blade#displaying-data

You can try:

    @php 
     echo $variable; 
    @endphp

answered Dec 15 '21 at 08:47

Daljit Singh

270
3
10

1

Is the same "not safe" echo and {!! use it with care – imaginabit Jan 21 '22 at 14:09

score -1 · Answer 19 · answered Dec 17 '19 at 06:14

-1

If you use the Bootstrap Collapse class sometimes {!! $text !!} is not worked for me but {{ html_entity_decode($text) }} is worked for me.

answered Dec 17 '19 at 06:14

Kazi Rabbi Hassan

151
2
10

score -3 · Answer 20 · answered Sep 11 '18 at 08:18

I have been there and it was my fault. And very stupid one.

if you forget .blade extension in the file name, that file doesn't understand blade but runs php code. You should use

/resources/views/filename.blade.php

instead of

/resources/views/filename.php

hope this helps some one

Displaying HTML with Blade shows the HTML code

20 Answers20

Linked

Related