[5.0] Blade templates always interprets @parent on the page - even inside escaped variable output

[laurencei]

Current version of Laravel 5:

example.blade.php

@extends('layouts.front')

@section('content')
    {{ $var }}
@stop

If you call this template like this:

return view('example')->withVar('this text @parent should show parent twice - but it is only showing once!')

Then you would expect to see

this text @parent should show parent twice - but it is only showing once!

Instead you see

this text should show parent twice - but it is only showing once!

What is the problem is that you cannot stop the blade template system from interpreting @parent even in escaped output.

This is also occuring in Laravel 4 - as described here (which is what lead me to investigate the issue in the first place): http://stackoverflow.com/q/28876911/1317935

[laurencei]

p.s. I am aware you can do @@parent to kind of 'escape' the output to show @parent. That is fine for my templates that I have control over.

But it is not ok when user inputted data has the ability to change the blade template system - even when fully escaped.

[RomainLanz]

Is it the same for every blade tags?

[laurencei]

Not from my testing - no.

From looking at the Blade code - it seems that the way @parent is string replaced is the problem. But I'll leave it to people smarter than me to confirm the exact parameters.

[GrahamCampbell]

Closing due to inactivity.

[eshantsahu]

I have arrived with the same problem, In my case I needs to use @parent very usually, I need some effective solution for this.

[atwright147]

I provided a workaround solution here: http://stackoverflow.com/a/28902882/633056

But this really needs fixing. I've never been convinced that inactivity is a good reason to closed an issue -- the issue is still open in the eys of the people who are experiencing this.

[scazzy]

For now, since we don't use the @parent feature of blade, we've overwritten the method and commented the str_replace line.