When I insert data I dont sanetize the text in any way, I just do small things suck as making the first leter capital and striping linebreaks when there are more than two in a row.
So if I now output the text using:
{{ $text }}
I am safe since this way laravel strips any dangerous data/tags to prevent xss. But the problem now is that I dont have any linebreaks in the text.
So now I tried this:
{!! nl2br(e($text))!!}
This seems to work, I keep my linebreaks and things like <script>alert('xss');</script>
gets output as normal text. But is this the proper way to output text safe in laravel while keeping linebreaks?
Yes, that's the correct way to achieve this.
{{ $text }}
is equivalent to {!! e($text) !!}
.