* 1.8.0 (2012-XX-XX)
+ * simplified usage of the autoescape tag; the only argument is now the escaping strategy or false (with a BC layer)
* added a way to dynamically change the auto-escaping strategy according to the template "filename"
* changed the autoescape option to also accept a supported escaping strategy (for BC, true is equivalent to html)
* added an embed tag
.. code-block:: jinja
- {% autoescape true %}
+ {% autoescape true %} {# as of Twig 1.8, this is equivalent to {% autoescape 'html' %} #}
Everything will be automatically escaped in this block
+ using the HTML strategy
{% endautoescape %}
{% autoescape false %}
- Everything will be outputed as is in this block
+ Everything will be outputted as is in this block
{% endautoescape %}
+ {# deprecated as of Twig 1.8 #}
{% autoescape true js %}
Everything will be automatically escaped in this block
using the js escaping strategy
{% endautoescape %}
+ {# as of Twig 1.8 #}
+ {% autoescape 'js' %}
+ Everything will be automatically escaped in this block
+ using the js escaping strategy
+ {% endautoescape %}
+
When automatic escaping is enabled everything is escaped by default except for
values explicitly marked as safe. Those can be marked in the template by using
the :doc:`raw<../filters/raw>` filter:
public function parse(Twig_Token $token)
{
$lineno = $token->getLine();
- $value = $this->parser->getStream()->expect(Twig_Token::NAME_TYPE)->getValue();
- if (!in_array($value, array('true', 'false'))) {
- throw new Twig_Error_Syntax("Autoescape value must be 'true' or 'false'", $lineno);
+ $expr = $this->parser->getExpressionParser()->parseExpression();
+ if (!$expr instanceof Twig_Node_Expression_Constant) {
+ throw new Twig_Error_Syntax('An escaping strategy must be a string or a Boolean.', $lineno);
}
- $value = 'true' === $value ? 'html' : false;
+ $value = $expr->getAttribute('value');
- if ($this->parser->getStream()->test(Twig_Token::NAME_TYPE)) {
+ $compat = true === $value || false === $value;
+
+ if (true === $value) {
+ $value = 'html';
+ }
+
+ if ($compat && $this->parser->getStream()->test(Twig_Token::NAME_TYPE)) {
if (false === $value) {
throw new Twig_Error_Syntax('Unexpected escaping strategy as you set autoescaping to false.', $lineno);
}
--TEST--
"autoescape" tag applies escaping on its children
--TEMPLATE--
-{% autoescape true %}
+{% autoescape 'html' %}
{{ var }}<br />
{% endautoescape %}
{% autoescape false %}
--TEST--
"autoescape" tag applies escaping on embedded blocks
--TEMPLATE--
-{% autoescape true %}
+{% autoescape 'html' %}
{% block foo %}
{{ var }}
{% endblock %}
--TEST--
"autoescape" tag does not double-escape
--TEMPLATE--
-{% autoescape true %}
+{% autoescape 'html' %}
{{ var|escape }}
{% endautoescape %}
--DATA--
{% endautoescape %}
-autoescape true
-{% autoescape true %}
+autoescape 'html'
+{% autoescape 'html' %}
safe_br
{{ safe_br() }}
{% endautoescape %}
-autoescape true js
-{% autoescape true js %}
+autoescape js
+{% autoescape 'js' %}
safe_br
{{ safe_br() }}
<br />
-autoescape true
+autoescape 'html'
safe_br
<br />
<br />
-autoescape true js
+autoescape js
safe_br
\x3cbr \x2f\x3e
--TEST--
"autoescape" tag does not apply escaping on literals
--TEMPLATE--
-{% autoescape true %}
+{% autoescape 'html' %}
1. Simple literal
{{ "<br />" }}
"autoescape" tags can be nested at will
--TEMPLATE--
{{ var }}
-{% autoescape true %}
+{% autoescape 'html' %}
{{ var }}
{% autoescape false %}
{{ var }}
- {% autoescape true %}
+ {% autoescape 'html' %}
{{ var }}
{% endautoescape %}
{{ var }}
--TEST--
"autoescape" tag applies escaping to object method calls
--TEMPLATE--
-{% autoescape true %}
+{% autoescape 'html' %}
{{ user.name }}
{{ user.name|lower }}
{{ user }}
--TEST--
"autoescape" tag does not escape when raw is used as a filter
--TEMPLATE--
-{% autoescape true %}
+{% autoescape 'html' %}
{{ var|raw }}
{% endautoescape %}
--DATA--
{% autoescape true js %}{{ var }}{% endautoescape %}
{% autoescape true html %}{{ var }}{% endautoescape %}
+
+{% autoescape 'js' %}{{ var }}{% endautoescape %}
+
+{% autoescape 'html' %}{{ var }}{% endautoescape %}
--DATA--
return array('var' => '<br />"')
--EXPECT--
\x3cbr \x2f\x3e\x22
<br />"
+\x3cbr \x2f\x3e\x22
+<br />"
escape types
--TEMPLATE--
-1. autoescape true |escape('js')
+1. autoescape 'html' |escape('js')
-{% autoescape true %}
+{% autoescape 'html' %}
<a onclick="alert("{{ msg|escape('js') }}")"></a>
{% endautoescape %}
-2. autoescape true html |escape('js')
+2. autoescape 'html' |escape('js')
-{% autoescape true html %}
+{% autoescape 'html' %}
<a onclick="alert("{{ msg|escape('js') }}")"></a>
{% endautoescape %}
-3. autoescape true js |escape('js')
+3. autoescape 'js' |escape('js')
-{% autoescape true js %}
+{% autoescape 'js' %}
<a onclick="alert("{{ msg|escape('js') }}")"></a>
{% endautoescape %}
<a onclick="alert("{{ msg|escape('js')|escape('html') }}")"></a>
{% endautoescape %}
-6. autoescape true html |escape('js')|escape('html')
+6. autoescape 'html' |escape('js')|escape('html')
-{% autoescape true html %}
+{% autoescape 'html' %}
<a onclick="alert("{{ msg|escape('js')|escape('html') }}")"></a>
{% endautoescape %}
return array('msg' => "<>\n'\"")
--EXPECT--
-1. autoescape true |escape('js')
+1. autoescape 'html' |escape('js')
<a onclick="alert("\x3c\x3e\x0a\x27\x22")"></a>
-2. autoescape true html |escape('js')
+2. autoescape 'html' |escape('js')
<a onclick="alert("\x3c\x3e\x0a\x27\x22")"></a>
-3. autoescape true js |escape('js')
+3. autoescape 'js' |escape('js')
<a onclick="alert("\x3c\x3e\x0a\x27\x22")"></a>
<a onclick="alert("\x3c\x3e\x0a\x27\x22")"></a>
-6. autoescape true html |escape('js')|escape('html')
+6. autoescape 'html' |escape('js')|escape('html')
<a onclick="alert("\x3c\x3e\x0a\x27\x22")"></a>
--TEST--
"autoescape" tag applies escaping after calling filters
--TEMPLATE--
-{% autoescape true %}
+{% autoescape 'html' %}
(escape_and_nl2br is an escaper filter)
--TEST--
"autoescape" tag do not applies escaping on filter arguments
--TEMPLATE--
-{% autoescape true %}
+{% autoescape 'html' %}
{{ var|nl2br("<br />") }}
{{ var|nl2br("<br />"|escape) }}
{{ var|nl2br(sep) }}
--TEST--
"autoescape" tag applies escaping after calling filters, and before calling pre_escape filters
--TEMPLATE--
-{% autoescape true %}
+{% autoescape 'html' %}
(nl2br is pre_escaped for "html" and declared safe for "html")
--TEST--
"autoescape" tag handles filters preserving the safety
--TEMPLATE--
-{% autoescape true %}
+{% autoescape 'html' %}
(preserves_safety is preserving safety for "html")