As suggested by effulgentsia here i'll link to my writeup about autosanitization.
Would be awesome to prepare this killer feature in Twig.

Comments

fabianx’s picture

fabianx commented
Priority: Normal » Major
Status: Active » Needs work

We have auto escaping in the twig_engine branch of the sandbox now.

Could you help testing it given your experience and try to break it?

Use twig_engine branch, install D8 core, change to stark theme. (this has the safe .twig templates).

All templates will be converted to .twig before this is released, so if you find a XSS within a theme_ function, this does only count if the bug is still present after conversion of the function to .twig ;-).

Deal? :-)

Thanks for your help!

--

Links to Twig docs:

http://twig.sensiolabs.org/doc/api.html#escaper-extension - This explains also the JS/HTML contexts.
http://twig.sensiolabs.org/doc/tags/autoescape.html - autoescape tag to set another context

Project: » Lost & found issues

This issue’s project has disappeared. Most likely, it was a sandbox project, which can be deleted by its maintainer. See the Lost & found issues project page for more details. (The missing project ID was 1750250)