Skip to content

Documented the "autoescape" TwigBundle config option #6539

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 3 commits into from
Closed

Documented the "autoescape" TwigBundle config option #6539

Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
0d6c2c7
Documented the "autoescape" TwigBundle config option
javiereguiluz May 6, 2016
7e0a065
Added a caution note
javiereguiluz May 6, 2016
b5278aa
Fixed everything reported by reviewers
javiereguiluz May 6, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 22 additions & 0 deletions reference/configuration/twig.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -112,6 +112,28 @@ If ``true``, whenever a template is rendered, Symfony checks first if its source
code has changed since it was compiled. If it has changed, the template is
compiled again automatically.

autoescape
~~~~~~~~~~

**type**: ``boolean`` or ``string`` **default**: ``'filename'``

If set to ``true``, all template contents are escaped for HTML. If set to
``false``, no escaping is applied automatically (you can still escape each
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"If set to false, automatic escaping is disabled (you can still [...]" ?

content individually in the templates).

.. caution::

Setting this option to ``false`` is dangerous and it will make your
application vulnerable to XSS exploits because most third-party bundles
assume that auto-escaping is enabled and they don't escape contents
themselves.

If set to a string, template contents are escaped using the strategy with that
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I'm missing "the" before "template contents", not 100% sure though but it feels more correct

name. Allowed values are ``html``, ``js``, ``css``, ``url`` and ``html_attr``.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please also add the default value in the allowed values list

A special strategy called ``filename`` is used by default and it escapes contents
according to the filename extension (it uses ``html`` for ``*.html.twig``
Copy link
Member

@wouterj wouterj May 6, 2016
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"[...] (e.g. it uses html for *.html.twig templates and js for *.js.twig templates.)"

templates, ``js`` for ``*.js.html`` templates, etc.)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what about adding a ref to the next option, allowing people to use a custom strategy?


autoescape_service
~~~~~~~~~~~~~~~~~~

Expand Down