Reputation: 191
php Symfony2 alternative filter for raw
Hi I am developing app with symfony2. and for quality control used the sensio lab insight. but the error im getting puts me dumbstruck. this is the error im getting:
Using the |raw filter or the {% autoescape false %} block in a Twig template exposes users to Cross-Site Scripting (XSS) attacks
my question is what filter can i use instead of raw?
{% if (value is not iterable and value matches '/^(function|\{)/i') %}{{ value|raw }}{% else %}{{ value|json_encode|raw }}{% endif %};
thanks
Upvotes: 1
Views: 785
Answers (2)
Reputation: 4265
The raw filter exists for a reason, so if you are completely sure of what is going to be in value, you can just keep using it.
An alternative filter really depends on what you want to allow or not; as @Yassine suggested, a custom filter is probably a good idea because it has the additional advantage that you can move the whole logic out of your layout.
Upvotes: 1
Reputation: 1715
You can create your Twig extension with a custom filter (e.g. named jscode) with your logic and mark it safe for html, and then just use:
{% value|jscode %}
Upvotes: 2
Related Questions
- Deprecation of twig filters, use Twig_SimpleFilter instead
- Create a new twig filter
- How can I create a symfony twig filter?
- PHP twig conditional filter
- symfony2.3 filter twig inside other filter
- symfony, twig - default filter for all variables in template
- Create a simple twig filter
- Set default raw filter in Twig
- Twig - earlier raw filter
- Symfony Custom Filters