Twig icon indicating copy to clipboard operation
Twig copied to clipboard

Published 20 hours ago verified publisher icon twigphp

The `autoescape` tag escapes already escaped value by the escape filter

Open ericmorand opened this issue 1 year ago • 3 comments

According to the documentation of the autoescape tag:

Twig is smart enough to not escape an already escaped value by the escape filter.

But, when testing TwigPHP, it seems like the autoescape tag actually do escape already escaped value by the escape filter:

{% set br = "<br/>" %}
{% autoescape "css" %}
{{ br|escape('html') }}
{% endautoescape %}

\26 lt\3B br\2F \26 gt\3B

https://twigfiddle.com/qtyoxi

So, which one is correct: TwigPHP implementation or the documentation?

ericmorand avatar Nov 26 '23 18:11 ericmorand

When using automatic escaping, Twig tries to not double-escape a variable when the automatic escaping strategy is the same as the one applied by the escape filter;

css: escapes a string for the CSS context. CSS escaping can be applied to any string being inserted into CSS and escapes everything except alphanumerics.

Both are correct.

https://twig.symfony.com/doc/3.x/filters/escape.html

smnandre avatar Nov 28 '23 03:11 smnandre

So one of the page of the documentation is wrong.

ericmorand avatar Nov 28 '23 09:11 ericmorand

The note on the autoescape documentation is not explicit enough. But value|escape('css') is not already escaped for html. So it is not wrong per se.

stof avatar Nov 28 '23 09:11 stof