Skip to content

Commit 186525f

Browse files
wouterjwouterj
committed
feature #6539 Documented the "autoescape" TwigBundle config option (javiereguiluz)
This PR was squashed before being merged into the 2.3 branch (closes #6539). Discussion ---------- Documented the "autoescape" TwigBundle config option This option was missing after the recent doc update. Commits ------- ea79276 Documented the "autoescape" TwigBundle config option
2 parents 2314b59 + ea79276 commit 186525f

File tree

1 file changed

+31
-0
lines changed

1 file changed

+31
-0
lines changed

reference/configuration/twig.rst

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -112,6 +112,35 @@ If ``true``, whenever a template is rendered, Symfony checks first if its source
112112
code has changed since it was compiled. If it has changed, the template is
113113
compiled again automatically.
114114

115+
autoescape
116+
~~~~~~~~~~
117+
118+
**type**: ``boolean`` or ``string`` **default**: ``'filename'``
119+
120+
If set to ``true``, all template contents are escaped for HTML. If set to
121+
``false``, automatic escaping is disabled (you can still escape each content
122+
individually in the templates).
123+
124+
.. caution::
125+
126+
Setting this option to ``false`` is dangerous and it will make your
127+
application vulnerable to XSS exploits because most third-party bundles
128+
assume that auto-escaping is enabled and they don't escape contents
129+
themselves.
130+
131+
If set to a string, the template contents are escaped using the strategy with
132+
that name. Allowed values are ``html``, ``js``, ``css``, ``url``, ``html_attr``
133+
and ``filename``. The default value is ``filename`` and it escapes contents
134+
according to the filename extension (e.g. it uses ``html`` for ``*.html.twig``
135+
templates and ``js`` for ``*.js.html`` templates).
136+
137+
.. tip::
138+
139+
See :ref:`config-twig-autoescape-service` and :ref:`config-twig-autoescape-service-method`
140+
to define your own escaping strategy.
141+
142+
.. _config-twig-autoescape-service:
143+
115144
autoescape_service
116145
~~~~~~~~~~~~~~~~~~
117146

@@ -125,6 +154,8 @@ for HTML and the contents of ``*.js.twig`` are escaped for JavaScript.
125154
This option allows to define the Symfony service which will be used to determine
126155
the default escaping applied to the template.
127156

157+
.. _config-twig-autoescape-service-method:
158+
128159
autoescape_service_method
129160
~~~~~~~~~~~~~~~~~~~~~~~~~
130161

0 commit comments

Comments
 (0)