Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Documented the "autoescape" TwigBundle config option #6539

Closed
wants to merge 3 commits into from
Closed
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 31 additions & 0 deletions reference/configuration/twig.rst
Original file line number Diff line number Diff line change
Expand Up @@ -112,6 +112,35 @@ If ``true``, whenever a template is rendered, Symfony checks first if its source
code has changed since it was compiled. If it has changed, the template is
compiled again automatically.

autoescape
~~~~~~~~~~

**type**: ``boolean`` or ``string`` **default**: ``'filename'``

If set to ``true``, all template contents are escaped for HTML. If set to
``false``, automatic escaping is disabled (you can still escape each content
individually in the templates).

.. caution::

Setting this option to ``false`` is dangerous and it will make your
application vulnerable to XSS exploits because most third-party bundles
assume that auto-escaping is enabled and they don't escape contents
themselves.

If set to a string, the template contents are escaped using the strategy with
that name. Allowed values are ``html``, ``js``, ``css``, ``url``, ``html_attr``
and ``filename``. The default value is ``filename`` and it escapes contents
according to the filename extension (e.g. it uses ``html`` for ``*.html.twig``
templates and ``js`` for ``*.js.html`` templates).

.. tip::

See :ref:`config-twig-autoescape-service` and :ref:`config-twig-autoescape-service-method`
to define your own escaping strategy.

.. _config-twig-autoescape-service:

autoescape_service
~~~~~~~~~~~~~~~~~~

Expand All @@ -125,6 +154,8 @@ for HTML and the contents of ``*.js.twig`` are escaped for JavaScript.
This option allows to define the Symfony service which will be used to determine
the default escaping applied to the template.

.. _config-twig-autoescape-service-method:

autoescape_service_method
~~~~~~~~~~~~~~~~~~~~~~~~~

Expand Down