Skip to content

Commit

Permalink
feature #6539 Documented the "autoescape" TwigBundle config option (j…
Browse files Browse the repository at this point in the history 
…aviereguiluz)

This PR was squashed before being merged into the 2.3 branch (closes #6539).

Discussion
----------

Documented the "autoescape" TwigBundle config option

This option was missing after the recent doc update.

Commits
-------

ea79276 Documented the "autoescape" TwigBundle config option
  • Loading branch information
@wouterj
wouterj committed May 13, 2016
2 parents 2314b59 + ea79276 commit 186525f
Showing 1 changed file with 31 additions and 0 deletions.
31 changes: 31 additions & 0 deletions reference/configuration/twig.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -112,6 +112,35 @@ If ``true``, whenever a template is rendered, Symfony checks first if its source
code has changed since it was compiled. If it has changed, the template is
compiled again automatically.

autoescape
~~~~~~~~~~

**type**: ``boolean`` or ``string`` **default**: ``'filename'``

If set to ``true``, all template contents are escaped for HTML. If set to
``false``, automatic escaping is disabled (you can still escape each content
individually in the templates).

.. caution::

Setting this option to ``false`` is dangerous and it will make your
application vulnerable to XSS exploits because most third-party bundles
assume that auto-escaping is enabled and they don't escape contents
themselves.

If set to a string, the template contents are escaped using the strategy with
that name. Allowed values are ``html``, ``js``, ``css``, ``url``, ``html_attr``
and ``filename``. The default value is ``filename`` and it escapes contents
according to the filename extension (e.g. it uses ``html`` for ``*.html.twig``
templates and ``js`` for ``*.js.html`` templates).

.. tip::

See :ref:`config-twig-autoescape-service` and :ref:`config-twig-autoescape-service-method`
to define your own escaping strategy.

.. _config-twig-autoescape-service:

autoescape_service
~~~~~~~~~~~~~~~~~~

Expand All @@ -125,6 +154,8 @@ for HTML and the contents of ``*.js.twig`` are escaped for JavaScript.
This option allows to define the Symfony service which will be used to determine
the default escaping applied to the template.

.. _config-twig-autoescape-service-method:

autoescape_service_method
~~~~~~~~~~~~~~~~~~~~~~~~~

Expand Down

0 comments on commit 186525f

Please sign in to comment.