1. Úvod
  2. Developer
  3. Standards
  4. Latte/HTML
  5. Latte Escaping
Components and Templates

Latte Escaping

Verze:

05. 01. 2026

Zodpovědná osoba:

Dominik Šlechta

Default {$variable} syntax MUST be used for auto-escaping. The |noescape filter MUST only be used with trusted HTML content to prevent XSS attacks.

Auto-escaping

  • Rule: The default {$variable} syntax MUST be used for outputting variables, as it auto-escapes content.

  • Reason: Auto-escaping prevents XSS (Cross-Site Scripting) attacks by escaping HTML entities.

Example (Correct):

<p>{$user->name}</p>
<p>{$article->title}</p>

Disabling Escaping

  • Rule: The |noescape filter MUST only be used when outputting trusted HTML content.

  • Reason: Disabling escaping can introduce security vulnerabilities if used with untrusted data.

Example (Correct - trusted HTML):

<!-- Only for trusted HTML content like WYSIWYG editor output -->
<div class="content">{$article->htmlContent|noescape}</div>

<!-- For SVG icons or similar trusted content -->
{$svgIcon|noescape}

Example (Incorrect - untrusted data):

<!-- NEVER do this with user input -->
<p>{$userComment|noescape}</p>

Context-aware Escaping

  • Rule: Latte automatically applies context-aware escaping. DO NOT manually escape unless necessary.

Example:

<!-- Latte auto-escapes based on context -->
<a href="{$url}">Link</a>              <!-- URL context -->
<script>var data = {$json};</script>   <!-- JS context -->
<p>{$text}</p>                         <!-- HTML context -->

Summary:

  • Default {$variable} syntax MUST be used for auto-escaping.
  • |noescape MUST only be used with trusted HTML content.
  • Latte's context-aware escaping handles different contexts automatically.
Components and Templates