Roots Discourse

What is a safe way to output WYSIWYG in Sage using blade?

So, I’ve been using {!! $variable !!} and someone told me, that’s vulnerable to XSS attacks.

My question is, if we shouldn’t be using that, what should we do? We can use {{ $variable }}, but the issue is, some characters aren’t read such as © and at time apostrophie and such. Its the issue with {{ }}.

What’s the safe way to go and do this?

Are you looking for esc_html?

1 Like

Hey @AurelianSpodarec ,

If you want to sanitize WYSIWYG output for allowed HTML tags for post content, you can use {!! wp_kses_post($var) !!}, also if you will want to replace double line breaks with paragraph elements and sanitize content for allowed HTML, then you can use {!! wpautop(wp_kses_post($var)) !!}, but if you will want to escape HTML, you can use the function suggested by @benword {!! esc_html($var) !!}.

Hope that makes sense for you.

2 Likes