{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreiab6ezyn7xaxubsllzed43h22ixnxci3gmq7l5ah64gni6ivnwlxi",
"uri": "at://did:plc:anldby4lwneunjl777bq6ih7/app.bsky.feed.post/3mjqmigxlikp2"
},
"coverImage": {
"$type": "blob",
"ref": {
"$link": "bafkreibzhypggacfnh2gkqdstcwq4ppjg5qpakj3dk2jcjy5vpsyutuh6q"
},
"mimeType": "image/png",
"size": 1223738
},
"description": "[In Depth #39] Public Properties may look like PHP class properties, but they're really hidden form fields, just waiting for your input... 😈",
"path": "/in-depth-dont-trust-public-livewire-properties/",
"publishedAt": "2026-04-18T04:36:23.000Z",
"site": "https://securinglaravel.com",
"tags": [
"Laravel Livewire",
"Subscribe now"
],
"textContent": "Let's take a look at a rather fun (quite common) weakness associated with Laravel Livewire - **manipulating public properties**. In Livewire, public properties are synced between the server and browser, allowing both sides to access and manipulate them as needed. However, because they are defined as standard PHP public properties, it's incredibly easy for us as developers to think of them as such, even though they are no longer trusted or safe. Herein lies the weakness to be exploited.\n\nLet's look at a really simple example:\n\n\n #[Title('Title demo')]\n class TitleDemo extends Component\n {\n public string $title = 'Hello, world!';\n\n public function render(): View\n {\n return view('livewire.title-demo');\n }\n }\n\nTitle Demo Livewire Component\n\nWhich looks like this in the browser:\n\nTitle demo app\n\nIf I change the title in the text box, the title on the page changes too. That's Livewire working its magic with the `wire:model.live=\"title\"` property defined on the input field.\n\nHowever, even if that input field is no longer present, we can still change the value on-demand, using the `Livewire` Javascript object...\n\n\n Livewire.first().set('title', 'PWNED')\n\nLivewire property modified through the console.\n\nNow, we could leave it here, but that feels like a harmless exploit you have some fun with in your local browser. However, there are some significant implications that we really should explore to understand the full scope of this weakness - plus, we should have some fun in the process! 😈\n\n### This post is for subscribers only\n\nBecome a member to get access to all content\n\nSubscribe now",
"title": "In Depth: Don't Trust Public Livewire Properties",
"updatedAt": "2026-04-18T04:36:24.453Z"
}