# `escape`
New in version 1.9.0: The `css`, `url`, and `html_attr` strategies were added in Twig1.9.0.
New in version 1.14.0: The ability to define custom escapers was added in Twig 1.14.0.
The `escape` filter escapes a string for safe insertion into the finaloutput. It supports different escaping strategies depending on the templatecontext.
By default, it uses the HTML escaping strategy:
<table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre>1</pre></div></td><td class="code"><div class="highlight"><pre>{{ user.username|escape }}
</pre></div></td></tr></table>
For convenience, the `e` filter is defined as an alias:
<table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre>1</pre></div></td><td class="code"><div class="highlight"><pre>{{ user.username|e }}
</pre></div></td></tr></table>
The `escape` filter can also be used in other contexts than HTML thanks toan optional argument which defines the escaping strategy to use:
<table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre>1
2
3</pre></div></td><td class="code"><div class="highlight"><pre>{{ user.username|e }}
{# is equivalent to #}
{{ user.username|e('html') }}
</pre></div></td></tr></table>
And here is how to escape variables included in JavaScript code:
<table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre>1
2</pre></div></td><td class="code"><div class="highlight"><pre>{{ user.username|escape('js') }}
{{ user.username|e('js') }}
</pre></div></td></tr></table>
The `escape` filter supports the following escaping strategies:
- `html`: escapes a string for the **HTML body** context.
- `js`: escapes a string for the **JavaScript context**.
- `css`: escapes a string for the **CSS context**. CSS escaping can beapplied to any string being inserted into CSS and escapes everything exceptalphanumerics.
- `url`: escapes a string for the **URI or parameter contexts**. This shouldnot be used to escape an entire URI; only a subcomponent being inserted.
- `html_attr`: escapes a string for the **HTML attribute** context.
Note
Internally, `escape` uses the PHP native [htmlspecialchars](http://php.net/htmlspecialchars) [http://php.net/htmlspecialchars] functionfor the HTML escaping strategy.
Caution
When using automatic escaping, Twig tries to not double-escape a variablewhen the automatic escaping strategy is the same as the one applied by theescape filter; but that does not work when using a variable as theescaping strategy:
<table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre>1
2
3
4
5
6</pre></div></td><td class="code"><div class="highlight"><pre>{% set strategy = 'html' %}
{% autoescape 'html' %}
{{ var|escape('html') }} {# won't be double-escaped #}
{{ var|escape(strategy) }} {# will be double-escaped #}
{% endautoescape %}
</pre></div></td></tr></table>
When using a variable as the escaping strategy, you should disableautomatic escaping:
<table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre>1
2
3
4
5</pre></div></td><td class="code"><div class="highlight"><pre>{% set strategy = 'html' %}
{% autoescape 'html' %}
{{ var|escape(strategy)|raw }} {# won't be double-escaped #}
{% endautoescape %}
</pre></div></td></tr></table>
### Custom Escapers
You can define custom escapers by calling the `setEscaper()` method on the`core` extension instance. The first argument is the escaper name (to beused in the `escape` call) and the second one must be a valid PHP callable:
<table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre>1
2</pre></div></td><td class="code"><div class="highlight"><pre>$twig = new Twig_Environment($loader);
$twig->getExtension('core')->setEscaper('csv', 'csv_escaper'));
</pre></div></td></tr></table>
When called by Twig, the callable receives the Twig environment instance, thestring to escape, and the charset.
Note
Built-in escapers cannot be overridden mainly they should be considered asthe final implementation and also for better performance.
### Arguments
- `strategy`: The escaping strategy
- `charset`: The string charset
- Twig
- Introduction
- Installation
- Twig for Template Designers
- Twig for Developers
- Extending Twig
- Twig Internals
- Deprecated Features
- Recipes
- Coding Standards
- Tags
- autoescape
- block
- do
- embed
- extends
- filter
- flush
- for
- from
- if
- import
- include
- macro
- sandbox
- set
- spaceless
- use
- verbatim
- Filters
- abs
- batch
- capitalize
- convert_encoding
- date
- date_modify
- default
- escape
- first
- format
- join
- json_encode
- keys
- last
- length
- lower
- merge
- nl2br
- number_format
- raw
- replace
- reverse
- round
- slice
- sort
- split
- striptags
- title
- trim
- upper
- url_encode
- Functions
- attribute
- block
- constant
- cycle
- date
- dump
- include
- max
- min
- parent
- random
- range
- source
- template_from_string
- Tests
- constant
- defined
- divisible by
- empty
- even
- iterable
- null
- odd
- same as