escape¶

New in version 1.9.0: The css, url, and html_attr strategies were added in Twig 1.9.0.

The escape filter escapes a string for safe insertion into the final output. It supports different escaping strategies depending on the template context.

By default, it uses the HTML escaping strategy:

1

{{ user.username|escape }}

For convenience, the e filter is defined as an alias:

1

{{ user.username|e }}

The escape filter can also be used in other contexts than HTML thanks to an optional argument which defines the escaping strategy to use:

1
2
3

{{ user.username|e }}
{# is equivalent to #}
{{ user.username|e('html') }}

And here is how to escape variables included in JavaScript code:

1
2

{{ user.username|escape('js') }}
{{ user.username|e('js') }}

The escape filter supports the following escaping strategies:

• html: escapes a string for the HTML body context.
• js: escapes a string for the JavaScript context.
• css: escapes a string for the CSS context. CSS escaping can be applied to any string being inserted into CSS and escapes everything except alphanumerics.
• url: escapes a string for the URI or parameter contexts. This should not be used to escape an entire URI; only a subcomponent being inserted.
• html_attr: escapes a string for the HTML attribute context.

1
2
3
4
5
6

{% set strategy = 'html' %}

{% autoescape 'html' %}
    {{ var|escape('html') }}   {# won't be double-escaped #}
    {{ var|escape(strategy) }} {# will be double-escaped #}
{% endautoescape %}

1
2
3
4
5

{% set strategy = 'html' %}

{% autoescape 'html' %}
    {{ var|escape(strategy)|raw }} {# won't be double-escaped #}
{% endautoescape %}