symfony2 twig whitelist html tags
Solution 1
Initially I thought it should be possible to write custom escaper strategies so you could do something like this:
{{ var|escape('html-custom') }}
Unfortunately it's not the case. Only available strategies are html and js. They're hard coded in the twig_escape_filter()
function defined in a Twig_Extension_Core
class file.
It seems that your only option is to write custom estension with a new filter:
{{ var|raw|customescape }}
Here's an example of custom twig extension and how to register it in Symfony: Symfony2 Twig extension
Solution 2
Actually, you can use native PHP function strip_tags by following:
{{ var|striptags('<br>')|raw }}
you can allow multiple tags with following code:
{{ var|striptags('<br><p>')|raw }}
Solution 3
You can do like that :
{{ text | striptags('<p><b><br') | raw }}
For instance,
<br>
won't escape
<br> and <br />
and
<p>
won't escape
<p> and </p>
etc.
Comments
-
jonv1 almost 2 years
I pass a variable to my twig template in Symfony2, this variable may contain
<br />
html tags, I have tried to create an extension (function), but the variable still gets escaped.How can I output a twig variable that allows the
<br />
tag? Is there a simple solution to just allow a whitelist of allowed tags in certain templates?I've searched about twig sandboxes, but I'm not sure if that is my solution.
edit: I still want the variable to be escaped, but to allow exclusively the
<br />
tag. -
jonv1 over 12 yearssorry for the late response. Thanks.
-
Jens Wegar almost 11 yearsThere is a fundamental difference between escape and striptags in that escape will make the tags harmless by replacing the <> with html entities, whereas striptags will remove the tag completely. So this would not be a good strategy if e.g. you want to allow most HTML but escape the <script>-tag
-
Kamil Dziedzic over 10 yearsI don't see a point of using
{{ var|raw|nl2br }}
since{{ var|raw }}
already allows to uses anything (well yeah, except\n
) but the answer{{ var|nl2br }}
is brilliant since it keeps in place symfony's autoescape but allows to add easily<br>
+1 -
cw24 about 10 yearsI also think this is the best answer. If you looking to allow some HTML in you script but still keep it safe, you need to work with a white list
-
datasn.io about 9 yearsAin't the 'raw' making it unsafe here?
-
SenseException over 8 yearsnl2br filter is also a nice answer, when you consider having newlines instead of br-tags in your string.
-
gabrielem about 8 yearsThere is no need to create a custom twig extension to allow <br> tag to be display as @Artem L answered below.
-
Jakub Zalas about 8 years@gabrielem How's stripping BR tags will let them to be displayed? The question was about whitelisting tags, not blacklisting them.
-
gabrielem about 8 years@JakubZalas by insert a tag in the striptags function you are going to "whitelisting" it. And the BR tag will be displayed, no other tags. And this is a correct answer for the question. You just need to use the function striptags as it is. ;) and how "Artem L" answered below.
-
Jakub Zalas about 8 yearsAh, you're right. I forgot the second argument to strip_tags() is actually a white list.