0👍
Ok, I’ve put
<div><script>alert('test');</script></div>
into email field of user.
In Laravel I’m just using:
return view('welcome', ['user' => App\User::find(1)]);
nothing special in model.
My view looks like this:
<!DOCTYPE html>
<html>
<head>
</head>
<body>
<div id="el">{{ $user }}</div>
<script>
user = JSON.parse(document.getElementById("el").innerHTML);
console.log(user.name);
</script>
</body>
</html>
and in JS console I’m getting:
<div><script>alert('test');</script></div>
so it’s not the same as in database but it doesn’t look as you showed either.
Source:stackexchange.com