symfony2 twig whitelist html tags

html templates escaping symfony twig

11,271

Solution 1

Initially I thought it should be possible to write custom escaper strategies so you could do something like this:

{{ var|escape('html-custom') }}

Unfortunately it's not the case. Only available strategies are html and js. They're hard coded in the twig_escape_filter() function defined in a Twig_Extension_Core class file.

It seems that your only option is to write custom estension with a new filter:

{{ var|raw|customescape }}

Here's an example of custom twig extension and how to register it in Symfony: Symfony2 Twig extension

Solution 2

Actually, you can use native PHP function strip_tags by following:

{{ var|striptags('<br>')|raw }}

you can allow multiple tags with following code:

{{ var|striptags('<br><p>')|raw }}

Solution 3

You can do like that :

{{ text | striptags('<p><b><br') | raw }}

For instance,

<br>

won't escape

<br> and <br />

and

<p>

won't escape

<p> and </p>

etc.

11,271

Author by

jonv1

freelance programmer!

Updated on June 05, 2022

Comments

jonv1 almost 2 years

I pass a variable to my twig template in Symfony2, this variable may contain   html tags, I have tried to create an extension (function), but the variable still gets escaped.

How can I output a twig variable that allows the   tag? Is there a simple solution to just allow a whitelist of allowed tags in certain templates?

I've searched about twig sandboxes, but I'm not sure if that is my solution.

edit: I still want the variable to be escaped, but to allow exclusively the   tag.
jonv1 over 12 years

sorry for the late response. Thanks.
Jens Wegar almost 11 years

There is a fundamental difference between escape and striptags in that escape will make the tags harmless by replacing the <> with html entities, whereas striptags will remove the tag completely. So this would not be a good strategy if e.g. you want to allow most HTML but escape the <script>-tag
Kamil Dziedzic over 10 years

I don't see a point of using {{ var|raw|nl2br }} since {{ var|raw }} already allows to uses anything (well yeah, except \n) but the answer {{ var|nl2br }} is brilliant since it keeps in place symfony's autoescape but allows to add easily   +1
cw24 about 10 years

I also think this is the best answer. If you looking to allow some HTML in you script but still keep it safe, you need to work with a white list
datasn.io about 9 years

Ain't the 'raw' making it unsafe here?
SenseException over 8 years

nl2br filter is also a nice answer, when you consider having newlines instead of br-tags in your string.
gabrielem about 8 years

There is no need to create a custom twig extension to allow tag to be display as @Artem L answered below.
Jakub Zalas about 8 years

@gabrielem How's stripping BR tags will let them to be displayed? The question was about whitelisting tags, not blacklisting them.
gabrielem about 8 years

@JakubZalas by insert a tag in the striptags function you are going to "whitelisting" it. And the BR tag will be displayed, no other tags. And this is a correct answer for the question. You just need to use the function striptags as it is. ;) and how "Artem L" answered below.
Jakub Zalas about 8 years

Ah, you're right. I forgot the second argument to strip_tags() is actually a white list.