Description

Detects Laravel Blade templates that use unescaped output expressions ({!! !!}) to display user input from request parameters. This creates Cross-Site Scripting (XSS) vulnerabilities by rendering raw HTML/JavaScript from user-controlled data without proper escaping.

Detection Strategy

• Searches for Blade template expressions using the {!! !!} syntax

• Specifically matches expressions that call request()->input() to get user parameters

• Reports a vulnerability when request data is displayed without escaping

• Only triggers on direct request->input() calls inside unescaped Blade expressions

• Each line containing this unsafe pattern will be reported separately

Vulnerable code example

<!DOCTYPE html>
<html>
<body>
    <!-- Vulnerable: Unescaped output allows XSS via {!! !!} syntax -->
    {!! request()->input('userdata') !!}

    <!-- Vulnerable: Direct HTML attribute injection enables XSS -->
    <div data-info="{!! request()->input('info') !!}">Content</div>...

✅ Secure code example

<!DOCTYPE html>
<html>
<body>
    <!-- Safe: Use {{ }} for auto-escaping output -->
    {{ request()->input('userdata') }}

    <!-- Safe: Explicitly escape HTML attributes with e() helper -->
    <div data-info="{{ e(request()->input('info')) }}">Content</div>...