Blade unescaped output of request-derived data
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
The {!! !!} Blade directive prints its value with no HTML escaping. Wrapping a direct request accessor ($request->, Request::, request(), old(), Input::get()) in it renders whatever the request contains verbatim, which is reflected XSS the moment that value isn't both validated and free of markup.
Why it matters
The {!! !!} Blade directive prints its value with no HTML escaping at all. When that value comes directly from the request, whatever the request sent renders as literal HTML or JavaScript in the page, which is reflected cross-site scripting the moment the value is not both strictly validated and free of markup, letting an attacker run script in another user's browser via a crafted link or form submission.
How to fix it
Switch to {{ }}, which HTML-escapes the value automatically, unless the code specifically needs to render trusted HTML, for example sanitized rich text from a WYSIWYG editor that has already been through an HTML sanitizer. In that narrower case, keep {!! !!} but make sure the value was sanitized first, not used as the raw request value.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo