我正在使用Laravel 5.5,并且正在尝试验证如果用户编写html实体(例如:<h1>Hola</h1>,<script>alert(1)</script>)不应该通过的表单。
但是它将所有字段插入数据库。
我的控制器:
protected function storeForm(CaseRequest $request){
try {
$supportCase = new SupportCase;
$supportCase->type = $request->input('type');
// all fields of table[...]
$supportCase->save();
return view('steps/finish/success')->with(['message' => 'Form success']);
} catch (Exception $e) {
echo $e->getMessage();
return view('steps/finish/error')->withErrors(['message' => 'Form error']);
}
}
我的CaseRequest是这样的:
/**
* Determine if the user is authorized to make this request.
*
* @return bool
*/
public function authorize()
{
return true;
}
/**
* Get the validation rules that apply to the request.
*
* @return array
*/
public function rules()
{
return [
'type' => 'required|min:3|max:3|string',
'brand' => 'required|string',
'product' => 'required|string',
'order' => 'required|string',
'description' => 'required|min:10|string',
'sn' => 'nullable',
'name' => 'required|min:2|string',
'nin' => 'required|min:9|max:11|alpha_dash',
'email' => 'required|email',
'phone' => 'required|digits_between:7,12',
'address' => 'required|min:5|string',
'city' => 'required|min:2|string',
'zip' => 'required|min:2|numeric',
'state' => 'required|min:2|string',
'country' => 'required|min:2|string',
];
}
我已经阅读了文档,并且请求是第一个被调用的请求,而不是控制器,如果有任何错误,它将引发错误消息。不是吗?。
我正在使用parsley和select2,起初它在parley的前端进行了验证,并且运行良好,但是如果我现在删除parsley验证,Laravel应该对其进行验证,对吗?但是在我的数据库中,它正在保存所有字段(包含<script>alert(1)</script>)。
<div class="form" id="main-form" data-parsley-validate="data-parsley-validate">
{!! Form::open(['id' => 'main-form', 'data-parsley-validate' => 'data-parsley-validate']) !!}
<div class="col-md-7 light-form">
<fieldset>
{!! Form::label('contact', trans('frontend/steps.form.contact'), ['class' => 'upper']) !!}
{!! Form::label('name', trans('frontend/steps.form.name')) !!}
{!! Form::text('name', old('name'), [
'data-parsley-pattern' => '[ÁÉÍÓÚáéíóúa-zA-Z ]+$',
'data-parsley-required' => 'true',
'data-parsley-minlength'=>'2',
'data-parsley-required-message' => trans('frontend/steps.form-errors.name'),
'data-parsley-minlength-message' => trans('frontend/steps.form-errors.name'),
'data-parsley-pattern-message' => trans('frontend/steps.form-errors.name'),
]) !!}
</fieldset>
<fieldset>
{!! Form::label('nin', trans('frontend/steps.form.in')) !!}
{!! Form::text('nin', old('nin'), [
'data-parsley-type'=>'alphanum',
'data-parsley-required' => 'true',
'data-parsley-minlength'=>'9',
'data-parsley-maxlength'=>'11',
'data-parsley-required-message' => trans('frontend/steps.form-errors.in'),
'data-parsley-minlength-message' => trans('frontend/steps.form-errors.in'),
'data-parsley-maxlength-message' => trans('frontend/steps.form-errors.in')
]) !!}
</fieldset>
<fieldset>
{!! Form::label('phone', trans('frontend/steps.form.telf')) !!}
{!! Form::text('phone', old('phone'), [
'data-parsley-pattern' => '\d+$',
'data-parsley-required' => 'true',
'data-parsley-minlength'=>'7',
'data-parsley-maxlength'=>'12',
'data-parsley-required-message' => trans('frontend/steps.form-errors.telf'),
'data-parsley-minlength-message' => trans('frontend/steps.form-errors.telf'),
'data-parsley-maxlength-message' => trans('frontend/steps.form-errors.telf'),
'data-parsley-pattern-message' => trans('frontend/steps.form-errors.telf')
]) !!}
</fieldset>
<fieldset>
{!! Form::label('address', trans('frontend/steps.form.address')) !!}
{!! Form::text('address', old('address'), [
'data-parsley-pattern' => '^[ÁÉÍÓÚáéíóúa-zA-Z0-9-_ ]+$',
'data-parsley-required' => 'true',
'data-parsley-minlength'=>'5',
'data-parsley-pattern-message' => trans('frontend/steps.form-errors.address'),
'data-parsley-minlength-message' => trans('frontend/steps.form-errors.address'),
'data-parsley-required-message' => trans('frontend/steps.form-errors.address'),
]) !!}
</fieldset>
<div class="col-md-12 no-padding">
<div class="col-md-6 location-form">
<fieldset>
{!! Form::label('address', trans('frontend/steps.form.city')) !!}
{!! Form::text('city', old('city'), [
'data-parsley-required' => 'true',
'data-parsley-minlength'=>'2',
'data-parsley-pattern' => '[ÁÉÍÓÚáéíóúa-zA-Z ]+$',
'data-parsley-minlength-message' => trans('frontend/steps.form-errors.city'),
'data-parsley-required-message' => trans('frontend/steps.form-errors.city'),
'data-parsley-pattern-message' => trans('frontend/steps.form-errors.city'),
]) !!}
</fieldset>
<fieldset>
{!! Form::label('zip', trans('frontend/steps.form.zip')) !!}
{!! Form::text('zip', old('zip'), [
'data-parsley-required' => 'true',
'data-parsley-minlength'=>'2',
'data-parsley-minlength-message' => trans('frontend/steps.form-errors.zip'),
'data-parsley-required-message' => trans('frontend/steps.form-errors.zip')
]) !!}
</fieldset>
</div>
<div class="col-md-6 no-padding">
<fieldset>
{!! Form::label('state', trans('frontend/steps.form.state')) !!}
{!! Form::text('state', old('state'), [
'data-parsley-pattern' => '[ÁÉÍÓÚáéíóúa-zA-Z ]+$',
'data-parsley-required' => 'true',
'data-parsley-minlength'=>'2',
'data-parsley-required-message' => trans('frontend/steps.form-errors.state'),
'data-parsley-minlength-message' => trans('frontend/steps.form-errors.state'),
'data-parsley-pattern-message' => trans('frontend/steps.form-errors.state'),
]) !!}
</fieldset>
<fieldset>
{!! Form::label('country', trans('frontend/steps.form.country')) !!}
{!! Form::text('country', old('country'), [
'data-parsley-required' => 'true',
'data-parsley-pattern' => '[ÁÉÍÓÚáéíóúa-zA-Z ]+$',
'data-parsley-minlength'=>'2',
'data-parsley-required-message' => trans('frontend/steps.form-errors.country'),
'data-parsley-minlength-message' => trans('frontend/steps.form-errors.country'),
'data-parsley-pattern-message' => trans('frontend/steps.form-errors.country'),
]) !!}
</fieldset>
</div>
</div>
</div>
<div class="col-md-5 dark-form">
<fieldset>
{!! Form::label('order', trans('frontend/steps.form.order'), ['class' => 'upper']) !!}
{!! Form::text('order', old('order'), [
'placeholder' => '123567',
'data-parsley-type' => 'digits',
'data-parsley-type-message' => trans('frontend/steps.form-errors.order_format'),
'data-parsley-required' => 'true',
'data-parsley-required-message' => trans('frontend/steps.form-errors.order')
]) !!}
<span class="loading style-2"></span>
</fieldset>
<fieldset id="brand-wrap">
<label class="upper" for="brand">
{!! trans('frontend/steps.form.brand') !!}
<img class="tip" title="{!! trans('frontend/steps.form.brand_tooltip') !!}"
src="{!! asset('assets/img/frontend/icons/info.png') !!}"/>
</label>
{!! Form::select('brand', $layout->brands->pluck('name', 'id'), old('brand'), [
'id'=> 'brand',
'class' => 'select2',
'data-parsley-required' => 'true',
'data-parsley-required-message' => trans('frontend/steps.form-errors.brand')
])
!!}
<span class="loading style-2"></span>
</fieldset>
<fieldset id="product-wrap">
{!! Form::label('product', trans('frontend/steps.form.product'), ['class' => 'upper']) !!}
{!! Form::select('product', ['null' => 'null'], old('product'), [
'id'=> 'product_select',
'class' => 'select2',
'data-parsley-required' => 'true',
'data-parsley-required-message' => trans('frontend/steps.form-errors.product')
])
!!}
</fieldset>
<fieldset>
{!! Form::label('description', trans('frontend/steps.form.problem'), ['class' => 'upper']) !!}
{!! Form::textarea('description', old('description'), [
'data-parsley-pattern' => '[áéíóúÁÉÍÓÚäëïöüÄËÏÖÜa-zA-Z0-9-_ ]+$',
'data-parsley-minlength'=>'10',
'data-parsley-required' => 'true',
'data-parsley-type-message' => trans('frontend/steps.form-errors.problem'),
'data-parsley-required-message' => trans('frontend/steps.form-errors.problem'),
'data-parsley-minlength-message' => trans('frontend/steps.form-errors.problem'),
'data-parsley-pattern-message' => trans('frontend/steps.form-errors.problem')
]) !!}
</fieldset>
<fieldset id="serial-wrap">
{!! Form::label('sn', trans('frontend/steps.form.serial')) !!}
{!! Form::text('sn', old('sn'), [
'id' => 'sn',
'data-parsley-required' => 'false',
'data-parsley-required-message' => trans('frontend/steps.form-errors.imei'),
'data-parsley-lunhvalidator' => '15',
'data-parsley-lunhvalidator-message' => trans('frontend/steps.form-errors.invalid-imei')
])
!!}
</fieldset>
<fieldset>
{!! Form::label('email', trans('frontend/steps.form.email')) !!}
{!! Form::email('email', old('email'), [
'data-parsley-type'=> 'email',
'data-parsley-required' => 'true',
'data-parsley-type-message' => trans('frontend/steps.form-errors.email'),
'data-parsley-required-message' => trans('frontend/steps.form-errors.email')
]) !!}
</fieldset>
@if($case == "INC")
<button class="upper" type="button" onclick="nextStep(this)" data-type="FORM" data-field="transaction"
data-next="eleventh" data-case="{!! $case !!}"
data-value="">{!! trans('frontend/steps.form.continue') !!}</button>
@else
<button class="upper" type="button" onclick="nextStep(this)" data-type="FORM" data-field="transaction"
data-next="fifth" data-case="{!! $case !!}"
data-value="">{!! trans('frontend/steps.form.continue') !!}</button>
@endif
</div>
{!! Form::close() !!}
</div>
答案 0 :(得分:1)
验证不会更改输入数据。它只是确保输入符合您定义的规则。
从技术上讲,无需删除HTML标签。它们不会对数据库造成任何损害,并且在使用{{ $content }}输出时可以将其转义。
如果您不想在数据库中保存HTML,请在相关字段上使用strip_tags()。
但是不要依靠它来阻止XSS,转义输出仍然是必需的