Whether automatic escaping is enabled or not, you can mark a section of a template to be escaped or not by using the autoescape
tag:
{% autoescape %} Everything will be automatically escaped in this block using the HTML strategy {% endautoescape %} {% autoescape 'html' %} Everything will be automatically escaped in this block using the HTML strategy {% endautoescape %} {% autoescape 'js' %} Everything will be automatically escaped in this block using the js escaping strategy {% endautoescape %} {% autoescape false %} Everything will be outputted as is in this block {% endautoescape %}
Note
Before Twig 1.8, the syntax was different:
{% autoescape true %} Everything will be automatically escaped in this block using the HTML strategy {% endautoescape %} {% autoescape false %} Everything will be outputted as is in this block {% endautoescape %} {% autoescape true js %} Everything will be automatically escaped in this block using the js escaping strategy {% endautoescape %}
When automatic escaping is enabled everything is escaped by default except for values explicitly marked as safe. Those can be marked in the template by using the raw filter:
{% autoescape %} {{ safe_value|raw }} {% endautoescape %}
Functions returning template data (like macros and parent) always return safe markup.
Note
Twig is smart enough to not escape an already escaped value by the escape filter.
Note
Twig does not escape static expressions:
{% set hello = "<strong>Hello</strong>" %} {{ hello }} {{ "<strong>world</strong>" }}
Will be rendered "<strong>Hello</strong> world".
Note
The chapter Twig for Developers gives more information about when and how automatic escaping is applied.
© 2009–2017 by the Twig Team
Licensed under the three clause BSD license.
The Twig logo is © 2010–2017 SensioLabs
http://twig.sensiolabs.org/doc/1.x/tags/autoescape.html