Skip to content

Commit

Permalink
[Doc] Document about html and html_attr strategies
Browse files Browse the repository at this point in the history
  • Loading branch information
Kocal committed Sep 19, 2024
1 parent 70886ec commit 7df57fd
Showing 1 changed file with 20 additions and 2 deletions.
22 changes: 20 additions & 2 deletions doc/filters/escape.rst
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ And here is how to escape variables included in JavaScript code:
The ``escape`` filter supports the following escaping strategies for HTML
documents:

* ``html``: escapes a string for the **HTML body** context.
* ``html``: escapes a string for the **HTML body** context, or for HTML attributes values **inside quotes**.

* ``js``: escapes a string for the **JavaScript** context.

Expand All @@ -50,7 +50,7 @@ documents:
* ``url``: escapes a string for the **URI or parameter** contexts. This should
not be used to escape an entire URI; only a subcomponent being inserted.

* ``html_attr``: escapes a string for the **HTML attribute** context.
* ``html_attr``: escapes a string for the **HTML attribute** context, **without quotes** around HTML attribute values.

Note that doing contextual escaping in HTML documents is hard and choosing the
right escaping strategy depends on a lot of factors. Please, read related
Expand Down Expand Up @@ -90,6 +90,24 @@ to learn more about this topic.
{{ var|escape(strategy)|raw }} {# won't be double-escaped #}
{% endautoescape %}
.. tip::

The ``html_attr`` escaping strategy can be useful when you need to
escape a **dynamic HTML attribute name**.

.. code-block:: html+twig

<p {{ your_html_attr|e('html_attr') }}="attribute value">

It can also be used for escaping **dynamic HTML attribute value** if
it is not quoted, but this is **less performant**. Instead, it is recommended
to quote the HTML attribute value and use ``html`` escaping strategy.

.. code-block:: html+twig

Check failure on line 106 in doc/filters/escape.rst

View workflow job for this annotation

GitHub Actions / DOCtor-RST

Please add a blank line after " .. code-block:: html+twig
<p data-content="{{ content|e('html') }}">
{# is equivalent to, but is less performant #}
<p data-content={{ content|e('html_attr') }}>

Custom Escapers
---------------

Expand Down

0 comments on commit 7df57fd

Please # to comment.