Skip to content

Allow Markup to be marked as safe for escaping#4801

Draft
aschempp wants to merge 1 commit into
twigphp:3.xfrom
aschempp:feature/safe-markup
Draft

Allow Markup to be marked as safe for escaping#4801
aschempp wants to merge 1 commit into
twigphp:3.xfrom
aschempp:feature/safe-markup

Conversation

@aschempp
Copy link
Copy Markdown

@aschempp aschempp commented May 18, 2026

Draft implementation of #4754

Let's keep the discussion on why and how to the original issue, but feel free to discuss the suggested code changes here 😊

/cc @Toflar

@aschempp aschempp mentioned this pull request May 18, 2026
Open
stof
stof reviewed May 18, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@stof stof left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The {% set %} tag in capture mode should probably be updated to mark its Markup output as safe for the current autoescaping strategy rather than all.
But I'm not sure whether we can do that in 3.x or should wait for 4.0.

Comment thread src/Markup.php
private array $options;

public function __construct($content, $charset)
public function __construct($content, $charset, array $options = [])
Copy link
Copy Markdown
Member

@stof stof May 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should pass an array of strategies there, not an array of options.

Copy link
Copy Markdown
Author

@aschempp aschempp May 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought about that too, but was unsure whether there can be more options. Also, this would make the syntax kinda identical with functions and filters. But I'm totally fine with either way.

Copy link
Copy Markdown
Member

@stof stof May 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think the Markup value object need to be consistent in syntax with functions and filters. They have totally different purposes.

Comment thread src/Runtime/EscaperRuntime.php
public function escape($string, string $strategy = 'html', ?string $charset = null, bool $autoescape = false)
{
if ($autoescape && $string instanceof Markup) {
if ($autoescape && $string instanceof Markup && (null === $string->getSafe() || \in_array($strategy, $string->getSafe(), true))) {
Copy link
Copy Markdown
Member

@stof stof May 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should probably take into account the case of strategies that are subset of others (html_attr is safe for html_attr_relaxed and html, and html_attr_relaxed is safe for html)

Copy link
Copy Markdown
Author

@aschempp aschempp May 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't know about that! Does that also apply to functions and filters? If my function [is_safe => 'html_attr'], does a foo.html.twig skip autoescaping? Could you point to any code to look at?

Copy link
Copy Markdown
Member

@stof stof May 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See https://github.com/twigphp/Twig/blob/3.x/src/NodeVisitor/SafeAnalysisNodeVisitor.php which does the analysis for auto-escaping.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@stof stof stof left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aschempp @stof