Twig

The flexible, fast, and secure
template engine for PHP

a Symfony Product
Docs Tags autoescape
You are reading the documentation for Twig 3.x. Switch to the documentation for Twig 1.x. 2.x.

Questions & Feedback

License

Twig documentation is licensed under the new BSD license.

autoescape

Whether automatic escaping is enabled or not, you can mark a section of a template to be escaped or not by using the autoescape tag:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
{% autoescape %}
    Everything will be automatically escaped in this block
    using the HTML strategy
{% endautoescape %}

{% autoescape 'html' %}
    Everything will be automatically escaped in this block
    using the HTML strategy
{% endautoescape %}

{% autoescape 'js' %}
    Everything will be automatically escaped in this block
    using the js escaping strategy
{% endautoescape %}

{% autoescape false %}
    Everything will be outputted as is in this block
{% endautoescape %}

When automatic escaping is enabled everything is escaped by default except for values explicitly marked as safe. Those can be marked in the template by using the raw filter:

1
2
3
{% autoescape %}
    {{ safe_value|raw }}
{% endautoescape %}

Functions returning template data (like macros and parent) always return safe markup.

Note

Twig is smart enough to not escape an already escaped value by the escape filter when the automatic escaping strategy is the same as the one applied by the escape filter.

Note

Twig does not escape static expressions:

1
2
3
{% set hello = "<strong>Hello</strong>" %}
{{ hello }}
{{ "<strong>world</strong>" }}

Will be rendered "<strong>Hello</strong> world".

Note

The chapter Twig for Developers gives more information about when and how automatic escaping is applied.