Skip to content

Correct escape type for HTML attribute example #21581

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 21, 2025
Merged

Correct escape type for HTML attribute example #21581

merged 1 commit into from
Nov 21, 2025
+2 −2

Conversation

@ChrisDBrown
Copy link
Contributor

@ChrisDBrown ChrisDBrown commented Nov 19, 2025

From the Twig documentation the different html escapes are (emphasis mine):

  • html: escapes a string for the HTML body context, or for HTML attributes values inside quotes.
  • html_attr: escapes a string when used as an HTML attribute name, and also when used as the value of an HTML attribute without quotes (e.g. data-attribute={{ some_value }}).

The example code here is inside quotes:

<div data-user-profile="{{ app.user ? app.user.profileData|json_encode|e('html') }}">
    <!-- ... -->
</div>

so it seems better to recommend html as the escape strategy. It'd perhaps be better still to highlight this difference in the Symfony docs?

@ChrisDBrown ChrisDBrown marked this pull request as ready for review November 19, 2025 11:21
@carsonbot carsonbot added this to the 6.4 milestone Nov 19, 2025
@ChrisDBrown ChrisDBrown changed the title [Frontend] Correct escape type for HTML attribute example Correct escape type for HTML attribute example Nov 19, 2025
@carsonbot carsonbot changed the title Correct escape type for HTML attribute example Correct escape type for HTML attribute example Nov 19, 2025
@javiereguiluz
Copy link
Member

javiereguiluz commented Nov 21, 2025

Thanks Chris!

About adding a note about this in Symfony Docs ... I'd say let's not add it for now. Defining HTML attributes without wrapping their values with quotes is extremely rare and the related Twig docs that you shared (https://twig.symfony.com/doc/3.x/filters/escape.html) explain this in detail.

@javiereguiluz javiereguiluz merged commit fcb6dce into symfony:6.4 Nov 21, 2025
3 checks passed
@ChrisDBrown
Copy link
Contributor Author

ChrisDBrown commented Nov 21, 2025

Makes sense to me, thanks!

@ChrisDBrown ChrisDBrown deleted the patch-1 branch November 21, 2025 12:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xabbuh xabbuh xabbuh approved these changes

Assignees

No one assigned

Labels

Status: Reviewed

Projects

None yet

Milestone

6.4

Development

Successfully merging this pull request may close these issues.

4 participants

@ChrisDBrown @javiereguiluz @xabbuh @carsonbot