17

I use the Symfony2.1 and have the default config.yml

Documentation said:

  {# but static strings are never escaped #}
  {{ '<h3>foo</h3>'|trans }}

But if I copy and paste it into the my empty template (without any additional autoescapes or another) I got the escaped string <h3>foo</h3>. What I do wrong?

Improve this question
2
  • I've provided an answer but I was wondering why you would want to do this in practice as if you wanted to change the markup you'd need to update all your translation keys. Or is this a simplified example and you're really injecting the html into the translation using message placeholders? Commented Nov 22, 2012 at 18:49
  • Yes it's a simplified example. In real life I want to inject a variable between tags: {{ 'Hello <strong>%var%</strong>'|trans({'%var%' : var}) }}. Now to do this I have to write: {{ 'Hello <strong>%var%</strong>'|trans({'%var%' : var|e})|raw }} Commented Nov 23, 2012 at 6:18

2 Answers 2

Reset to default
20

Try it with the twig raw filter:

{{ '<h3>foo</h3>' | trans | raw }}

However, do not use the raw filter if you are processing any user input! It allows for cross-site-scripting attacks, according to the creators of Symfony. See this similar question for a secure but more tedious alternative.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

yes, it works. So documentation is wrong when say but static strings are never escaped. Static strings are escaped too.
Hmm, I've only used html in translations where I've been using placeholders in which case the string is by definition not static. You're right that the documentation suggests this example should work without raw, in which case it's a bug, unless you're not using the latest version of Symfony and it's a recent change?
And if you had some user data injected in the Twig template, you'd have created a security vulnerability: blog.insight.sensiolabs.com/2013/11/28/…. Moral of the story: do not use raw!
@SteveDL In my defence, when I wrote this answer the OP's question gave the impression they wanted to translate a static string. I wouldn't agree with 'never use raw' - it has it's uses. For example I've used it on translations I inject start/end anchor tags into, an invaluable use in my opinion, as we needed to keep markup in the twig files. Nevertheless, you are right, I should have said users of 'raw' beware / take care.
2

Holding HTML stuff in translations is wrong, because translators usually break it. But if you really need it:

{% trans %}<h3>foo</h3>{% endtrans %}

https://github.com/symfony/symfony/issues/2713#issuecomment-12510417

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.