16

I use the Symfony2.1 and have the default config.yml

Documentation said:

  {# but static strings are never escaped #}
  {{ '<h3>foo</h3>'|trans }}

But if I copy and paste it into the my empty template (without any additional autoescapes or another) I got the escaped string <h3>foo</h3>. What I do wrong?

Mikhail
  • 2,542
  • 4
  • 29
  • 40
  • I've provided an answer but I was wondering why you would want to do this in practice as if you wanted to change the markup you'd need to update all your translation keys. Or is this a simplified example and you're really injecting the html into the translation using message placeholders? – redbirdo Nov 22 '12 at 18:49
  • Yes it's a simplified example. In real life I want to inject a variable between tags: `{{ 'Hello %var%'|trans({'%var%' : var}) }}`. Now to do this I have to write: `{{ 'Hello %var%'|trans({'%var%' : var|e})|raw }}` – Mikhail Nov 23 '12 at 06:18

2 Answers2

19

Try it with the twig raw filter:

{{ '<h3>foo</h3>' | trans | raw }}

However, do not use the raw filter if you are processing any user input! It allows for cross-site-scripting attacks, according to the creators of Symfony. See this similar question for a secure but more tedious alternative.

Darryl Hein
  • 142,451
  • 95
  • 218
  • 261
redbirdo
  • 4,937
  • 1
  • 30
  • 34
  • 1
    yes, it works. So documentation is wrong when say `but static strings are never escaped`. Static strings are escaped too. – Mikhail Nov 23 '12 at 06:21
  • 2
    Hmm, I've only used html in translations where I've been using placeholders in which case the string is by definition not static. You're right that the documentation suggests this example should work without raw, in which case it's a bug, unless you're not using the latest version of Symfony and it's a recent change? – redbirdo Nov 23 '12 at 10:59
  • 2
    And if you had some user data injected in the Twig template, you'd have created a security vulnerability: http://blog.insight.sensiolabs.com/2013/11/28/a-new-batch-of-rules.html. Moral of the story: do not use `raw`! – Steve Dodier-Lazaro Jun 18 '15 at 17:30
  • 2
    @SteveDL In my defence, when I wrote this answer the OP's question gave the impression they wanted to translate a static string. I wouldn't agree with 'never use raw' - it has it's uses. For example I've used it on translations I inject start/end anchor tags into, an invaluable use in my opinion, as we needed to keep markup in the twig files. Nevertheless, you are right, I should have said users of 'raw' beware / take care. – redbirdo Jun 18 '15 at 18:53
2

Holding HTML stuff in translations is wrong, because translators usually break it. But if you really need it:

{% trans %}<h3>foo</h3>{% endtrans %}

https://github.com/symfony/symfony/issues/2713#issuecomment-12510417

Artem L
  • 10,123
  • 1
  • 20
  • 15