Matthias Andreas Benkard | 12a5735 | 2021-12-28 18:02:04 +0100 | [diff] [blame] | 1 | ``autoescape`` |
| 2 | ============== |
| 3 | |
| 4 | Whether automatic escaping is enabled or not, you can mark a section of a |
| 5 | template to be escaped or not by using the ``autoescape`` tag: |
| 6 | |
| 7 | .. code-block:: twig |
| 8 | |
| 9 | {% autoescape %} |
| 10 | Everything will be automatically escaped in this block |
| 11 | using the HTML strategy |
| 12 | {% endautoescape %} |
| 13 | |
| 14 | {% autoescape 'html' %} |
| 15 | Everything will be automatically escaped in this block |
| 16 | using the HTML strategy |
| 17 | {% endautoescape %} |
| 18 | |
| 19 | {% autoescape 'js' %} |
| 20 | Everything will be automatically escaped in this block |
| 21 | using the js escaping strategy |
| 22 | {% endautoescape %} |
| 23 | |
| 24 | {% autoescape false %} |
| 25 | Everything will be outputted as is in this block |
| 26 | {% endautoescape %} |
| 27 | |
| 28 | When automatic escaping is enabled everything is escaped by default except for |
| 29 | values explicitly marked as safe. Those can be marked in the template by using |
| 30 | the :doc:`raw<../filters/raw>` filter: |
| 31 | |
| 32 | .. code-block:: twig |
| 33 | |
| 34 | {% autoescape %} |
| 35 | {{ safe_value|raw }} |
| 36 | {% endautoescape %} |
| 37 | |
| 38 | Functions returning template data (like :doc:`macros<macro>` and |
| 39 | :doc:`parent<../functions/parent>`) always return safe markup. |
| 40 | |
| 41 | .. note:: |
| 42 | |
| 43 | Twig is smart enough to not escape an already escaped value by the |
| 44 | :doc:`escape<../filters/escape>` filter. |
| 45 | |
| 46 | .. note:: |
| 47 | |
| 48 | Twig does not escape static expressions: |
| 49 | |
| 50 | .. code-block:: html+twig |
| 51 | |
| 52 | {% set hello = "<strong>Hello</strong>" %} |
| 53 | {{ hello }} |
| 54 | {{ "<strong>world</strong>" }} |
| 55 | |
| 56 | Will be rendered "<strong>Hello</strong> **world**". |
| 57 | |
| 58 | .. note:: |
| 59 | |
| 60 | The chapter :doc:`Twig for Developers<../api>` gives more information |
| 61 | about when and how automatic escaping is applied. |