In addition to the risk already mentioned above, there are numerous others.
When you use $this
within a view blade
, you have access to the Illuminate\View\View
.
Without contraring other methods he could play at will with his system.
Just to reinforce the above answer, see another "prank" that could happen:
File::deleteDirectory('diretorio_importante_do_seu_sistema');
It could also change some configuration file, such as the mail.php
and make a mess in your system:
file_put_contents(app_path('config/mail.php'), var_export($configuracoes_malicosas, true));
Perhaps the solution in your case is to pre-process a possible template submitted by a user. Or, to have a block, for someone to analyze the content of this view and, only then, publish effectively.
I don’t know if this is the idea, but it seems that you want to do something similar to Wordpress.
Laravel already has a CMS, I don’t know if it solves, but I’ll leave the link so you can analyze and see if it meets your need.
https://octobercms.com/
Power can, it will only need to limit what will be used. As @Neto said, there will be this risk if you allow the use of Laravel’s classes and properties.
– Papa Charlie