Twig

The flexible, fast, and secure
template engine for PHP

a Symfony Product
Docs Filters escape
You are reading the documentation for Twig 3.x. Switch to the documentation for Twig 1.x, 2.x.

Table of Contents

Questions & Feedback

License

Twig documentation is licensed under the new BSD license.

escape

The escape filter escapes a string using strategies that depend on the context.

By default, it uses the HTML escaping strategy:

1
2
3
<p>
    {{ user.username|escape }}
</p>

For convenience, the e filter is defined as an alias:

1
2
3
<p>
    {{ user.username|e }}
</p>

The escape filter can also be used in other contexts than HTML thanks to an optional argument which defines the escaping strategy to use:

1
2
3
{{ user.username|e }}
{# is equivalent to #}
{{ user.username|e('html') }}

And here is how to escape variables included in JavaScript code:

1
2
{{ user.username|escape('js') }}
{{ user.username|e('js') }}

The escape filter supports the following escaping strategies for HTML documents:

  • html: escapes a string for the HTML body context,
    or for HTML attributes values inside quotes.
  • js: escapes a string for the JavaScript context.
  • css: escapes a string for the CSS context. CSS escaping can be applied to any string being inserted into CSS and escapes everything except alphanumerics.
  • url: escapes a string for the URI or parameter contexts. This should not be used to escape an entire URI; only a subcomponent being inserted.
  • html_attr: escapes a string for the HTML attribute context, without quotes around HTML attribute values.

Note that doing contextual escaping in HTML documents is hard and choosing the right escaping strategy depends on a lot of factors. Please, read related documentation like the OWASP prevention cheat sheet to learn more about this topic.

Note

Internally, escape uses the PHP native htmlspecialchars function for the HTML escaping strategy.

Caution

When using automatic escaping, Twig tries to not double-escape a variable when the automatic escaping strategy is the same as the one applied by the escape filter; but that does not work when using a variable as the escaping strategy:

1
2
3
4
5
6
{% set strategy = 'html' %}

{% autoescape 'html' %}
    {{ var|escape('html') }}   {# won't be double-escaped #}
    {{ var|escape(strategy) }} {# will be double-escaped #}
{% endautoescape %}

When using a variable as the escaping strategy, you should disable automatic escaping:

1
2
3
4
5
{% set strategy = 'html' %}

{% autoescape 'html' %}
    {{ var|escape(strategy)|raw }} {# won't be double-escaped #}
{% endautoescape %}

Tip

The html_attr escaping strategy can be useful when you need to
escape a dynamic HTML attribute name:

1
<p {{ your_html_attr|e('html_attr') }}="attribute value">

It can also be used for escaping a dynamic HTML attribute value
if it is not quoted, but this is less performant.
Instead, it is recommended to quote the HTML attribute value and use
the html escaping strategy:

1
2
3
4
<p data-content="{{ content|e('html') }}">

{# is equivalent to, but is less performant #}
<p data-content={{ content|e('html_attr') }}>

Custom Escapers

3.10

The EscaperRuntime class has been added in 3.10. On previous versions, you can define custom escapers by calling the setEscaper() method on the escaper extension instance. The first argument is the escaper strategy (to be used in the escape call) and the second one must be a valid PHP callable:

1
2
3
4
use Twig\Extension\EscaperExtension;

$twig = new \Twig\Environment($loader);
$twig->getExtension(EscaperExtension::class)->setEscaper('csv', 'csv_escaper');

When called by Twig, the callable receives the Twig environment instance, the string to escape, and the charset.

You can define custom escapers by calling the setEscaper() method on the escaper runtime instance. It accepts two arguments: the strategy name and a PHP callable that accepts a string to escape and the charset:

1
2
3
4
5
6
7
8
use Twig\Runtime\EscaperRuntime;

$twig = new \Twig\Environment($loader);
$escaper = fn ($string, $charset) => $string;
$twig->getRuntime(EscaperRuntime::class)->setEscaper('identity', $escaper);

# Usage in a template:
# {{ 'Twig'|escape('identity') }}

Note

Built-in escapers cannot be overridden mainly because they should be considered as the final implementation and also for better performance.

Arguments

  • strategy: The escaping strategy
  • charset: The string charset