Laravel - htmlentities

时间:2016-01-05 22:43:07

标签: laravel escaping output sanitize

我正在向laravel发出Ajax请求 - 但由于某种原因,我的自定义函数没有转义特殊字符。我无法弄清楚为什么。我在CodeIgniter中使用了这个完全相同的函数,它可以很好地转义输出。所有数据都可以很好地返回到JS文件 - 但它并没有逃避任何事情。这是代码:

public function store( Request $request, $project_id ) {
    //current logged in user. 
    $user_id = auth()->user()->id;


    //get all post inputs

    $inputs = $request->all();


    //make sure project ID belongs to current user.  Stop someone from adding a task to your project that isn't you. 
    $projectBelongsToUser = Project::find(1)->where('user_id', $user_id)->where('id', $project_id)->get();



    //if a project ID and inputs are provided - log them to the database, if not redirect to home with $errors. 
    if( $project_id && $inputs['description'] && $projectBelongsToUser ) {

        $task = New Task;

        $task->description = $inputs['description'];
        $task->due_date    = $inputs['due_date'];
        $task->priority    = $inputs['priority'];
        $task->completed   = 0;
        $task->order       = 0;
        $task->user_id     = $user_id;
        $task->project_id  = $project_id;
        $task->save();

        //get all tasks
        $tasks = Task::where('user_id', $user_id)->where('project_id', $project_id)->orderBy('description', 'asc')->get();

        //sanitize tasks for safe output
        function sanitize_object_h( $array ) {
            $array_modified = $array;

            foreach( $array_modified as $object ) {
                foreach( $object as &$item ) {
                    $item = htmlentities( $item, ENT_QUOTES );
                }
                //end foreach
            }
            //end foreach
            return $array_modified;

        }
        //end sanitize_object_h

        $sanitized_tasks = sanitize_object_h( $tasks );

        //return the sanitized object. 
        echo json_encode( sanitize_object_h( $tasks ) );

    } else {

        echo "failed";
        return;

    }//end if



}//end store

1 个答案:

答案 0 :(得分:0)

首先,我没有修复逃脱。 Htmlentities应该有效,但在我看来(some others)你并不需要。 Json_encode我自己逃脱了制作有效JSON所需的所有字符。但是,我试图提高代码的可读性。

Laravel可以做很多你想做的事情。

public function store( Request $request, $project_id ) {

    if(!$project_id)
        abort(404, "Bad id");

    // make sure all inputs exist
    $this->validate($request, [
        'description' => 'required',
        'due_date' => 'required',
        'priority' => 'required'
    ]);

    //get all post inputs
    $inputs = $request->all();

    //make sure project ID belongs to current user.  Stop someone from adding a task to your project that isn't you. 
    $project = Project::findOrFail($project_id);
    if($project->user_id != Auth::user()->id)
        abort(403, 'Not your thing');

    $task = New Task;

    $task->description = $inputs['description'];
    $task->due_date    = $inputs['due_date'];
    $task->priority    = $inputs['priority'];
    $task->completed   = 0;
    $task->order       = 0;
    $task->user_id     = $user_id;
    $task->project_id  = $project_id;
    $task->save();

    //get all tasks
    $tasks = Task::where('user_id', $user_id)->where('project_id', $project_id)->orderBy('description', 'asc')->get();

    return Response::json($tasks);
}//end store

查看Validation

注意中止。我认为它的功能相当明显,但如果您愿意,也可以使用return "error";,因为它看起来像API。 FindOrFail。如果记录不存在,它将抛出404(除非你抓住它)。