I'm using Twig in my Symfony project.
Symfony should enable autoescape by default. However it doesn't do this by default and after I enable it by hand it still won't work.
I've configured Twig to autoescape all my variables.
twig:
autoescape: true
But this doesn't filter anything. Both HTML and JavaScript aren't escaped.
There is no custom autoescape_service and I'm not filtering the variables with |raw or { autoescape false }.
I've double check the generated config to make sure the value hasn't been overwritten. In app/cache/dev/appDevDebugProjectContainer.xml under the twig service definition the arguments are as follows:
<argument key="debug">true</argument>
<argument key="strict_variables">false</argument>
<argument key="cache">false</argument>
<argument key="autoescape">true</argument>
<argument key="exception_controller">twig.controller.exception:showAction</argument>
<argument key="autoescape_service">null</argument>
<argument key="autoescape_service_method">null</argument>
<argument key="charset">UTF-8</argument>
Is there another way that Twig overwrites the autoescape option that I'm missing? Or how can I force enable it?
