Skip to content

[12.x] Add AsHtmlString cast #55071

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Mar 18, 2025
Merged

[12.x] Add AsHtmlString cast #55071

merged 2 commits into from
Mar 18, 2025

Conversation

ralphjsmit
Copy link
Contributor

@ralphjsmit ralphjsmit commented Mar 18, 2025
edited
Loading

Sometimes it can be useful to store user-provided HTML in the database, for example for snippets or templates. As HtmlString is Illuminate-provided, I was missing an Eloquent cast to automatically cast an attribute to an HtmlString.

protected function casts(): array
{
   return [
      'html' => AsHtmlString::class,
   ];
}

Thanks!

@AndrewMast
Copy link
Contributor

HtmlString is rather dangerous as it allows the contents to not be escaped when displaying through Blade. While this is an objectively good thing for people who know what they are doing, I think that this may allow for unintended security issues.

If I was new to laravel in general, I may assume that a cast like this would be for anything that might be displayed with rich content, not something that would allow potentially user-generated content to be directly injected into the webpage.

Also, using database content directly opens up more security holes. What if the database isn't secured properly? What if an "admin" account with access to this table is compromised? Social engineering happens. Instead of a security leak (with hashed passwords), you could potentially have people inject code into every user's visit and record keystrokes, etc.

While I am sure there are potentially secure ways of doing this, having it easily accessible to everyone is giving me warning bells.

That aside, you did some good quality code here. Writing tests is the bane of my existence.

@ralphjsmit
Copy link
Contributor Author

ralphjsmit commented Mar 18, 2025
edited
Loading

@AndrewMast Thanks for your comment! Yeah, whilst I agree that HtmlString is something that needs to be carefully handled, it does not mean that the people that use it are using it insecurely. And I think that as soon as you run into the problem with wanting an HtmlString cast on your model that you start looking for this cast, you have already thought this out.

Echoing in Blade is also not the only purpose, you can also render a template into a PDF using a safe version of Twig, which has modes specifically built for rendering user- or admin-provided templates.

Personally I fully expected this cast to be present as HtmlString is a top-level Illuminate\Support component just like Stringable for example,Iwhich is why I made this PR :)

@taylorotwell taylorotwell merged commit 34f4932 into laravel:12.x Mar 18, 2025
39 checks passed
@AndrewMast
Copy link
Contributor

True, that makes sense. We should at least include a warning in the docs when AsHtmlString is mentioned.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ralphjsmit @AndrewMast @taylorotwell