Laravel 5: Encoding HTML With the "e" Helper Function

The e function is a simple wrapper of PHP's htmlentities function. The e function utilizes the UTF-8 character encoding. The e function will sanitize user input when displaying it to the browser.

#Signature

The signature of the e function is:

1function e(
2    $value
3);

#Example Use

Let's assume that a malicious user was posting on a forum and set the subject of their post to this:

1<script>alert("hello everyone");</script>

If the forum software did not sanitize user output, perfectly valid JavaScript code would be sent to the browser. Since browsers are overly happy to execute any JavaScript included in the document, any forum visitor would see an alert box with hello everyone every time a page was loaded that displayed that particular forum post.

To prevent this, use the e function to sanitize user input when sending it to the browser:

1$unsafeClientCode =
2    '<script>alert("hello everyone");</script>';
3 
4$safeClientCode   = e($unsafeClientCode);

The value of $safeClientCode would then be:

1<script>alert("hello everyone");</script>gt;

At this point the browser will render a string that literally represents what they had typed.

#Working With Htmlable Values

The e helper function will encode the HTML characters within a string value, but treats instances of "Illuminate\Contracts\Support\Htmlable" differently in that it will not encode the HTML characters in the Htmlable instance's toHtml() return value.

 1use Illuminate\Contracts\Support\Htmlable;
 2 
 3class CustomHtmlable implements Htmlable
 4{
 5 
 6    public function toHtml()
 7    {
 8        return '<p>This is a value</p>';
 9    }
10 
11}
12 
13// Create a new instance.
14$instance = new CustomHtmlable;
15 
16// The value will still contain the HTML tags.
17$returnValue = e($instance);

When building Htmlable value types, we can invoke the e function within the class itself to ensure the results of the toHtml method are client safe to return to the browser. In the following example, we are going to create a simple Person type to hold information about various people we might encounter; additionally, we will create a utility class PersonRow that will be used to represent a Person instance as a HTML table row.

 1use Illuminate\Contracts\Support\Htmlable;
 2 
 3class Person
 4{
 5    public $firstName;
 6    public $lastName;
 7}
 8 
 9class PersonRow implements Htmlable
10{
11 
12    private $person;
13 
14    public function withPerson(Person $person)
15    {
16        $this->person = $person;
17 
18        return $this;
19    }
20 
21    public function toHtml()
22    {
23        return '<tr>
24                    <td>'.e($this->person->firstName) .'</td>
25                    <td>'.e($this->person->lastName)  .'</td>
26                </tr>';
27    }
28 
29}

In the code above, we are invoking the e function on the values we are inserting into our HTML template. If we executed code similar to this:

1$person = new Person;
2$person->firstName = '<script>alert("Hello");</script>';
3$person->lastName  = 'Doe';
4 
5$clientCode = with(new PersonRow)->withPerson($person)->toHtml();

Once the code has executed, the $clientCode variable would contain a value similar to the following output:

1 
2<tr>
3    <td>&lt;script&gt;alert(&quot;Hello&quot;);&lt;/script&gt;</td>
4    <td>Doe</td>
5 </tr>

∎