1

I have a field in the database which store script tags and I want to implement those script tags into my HTML file but the problem is that data is coming string format

I am trying this

<div class="mb-auto">{{htmlentities($video->ifram)}}</div>

Desired output

<script id="154896_p_269505" width="1280" height="720" src=""  class="dacast-video"></script>

But getting

"&lt;script id=&quot;154896_p_269505&quot; width=&quot;1280&quot; height=&quot;720&quot; src=&quot;https://player.dacast.com/js/player.js?contentId=154896_p_269505&quot; class=&quot;dacast-video&quot;&gt;&lt;/script&gt;"
Improve this question
2
  • Not sure if there is automatic escaping done, but removing htmlentities() may be a start. Commented Apr 4, 2020 at 12:00
  • @NigelRen By removing htmlentities() the result is coming in a string format. Commented Apr 4, 2020 at 12:02

1 Answer 1

Reset to default
2

You can achieve this by replacing

<div class="mb-auto">{{htmlentities($video->ifram)}}</div>

with

<div class="mb-auto">{!! $video->ifram !!}</div>

But you should be very careful about XSS attack since the JavaScript present in your string will be interpreted by the browser. NEVER do it with a user-provided content!

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Is there any safer way, so I can escape XSS attack
Since you allow arbitrary JavaScript to be interpreted, there is a XSS vulnerability. If you really need to do this, be sure the content cannot be updated except by yourself

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.