Prevent {{ config() }} from exposing DB_PASSWORD #378
Comments
bilogic
changed the title
|
Yeah you can just not echo that? |
|
Hi, I'm coming along the lines that a template system is supposed to limit itself to only "safe" code so that it is end user editable (think shopify's liquid). While I could disable config() entirely, APIs such as recaptcha still needs to expose their public key in templates. I was wondering if you would consider adding something similiar to Laravel's debug_blacklist for config? Thank you. |
|
In that case you can use the sandbox, but by default Twig has access to al lot of functions and the global app variable. |
|
@barryvdh Can't we just disable / blacklist config() and then if I need some config info I'll create a custom function for that specific data and make it available for twig ? I think config(), app() and other sensitive data must not be available for the front end developer .. any idea ? Thanks. |
|
Cool, I was able to disable config() from twigbridge.php conifg file, totally missed that! |
Hi,
Is there a way to make
{{ config("database.connections.mysql.password") }}not expose.env'sDB_PASSWORDand other sensitive infomation? Thank you.The text was updated successfully, but these errors were encountered: