auto_escape

1.0 1.1 1.2 1.3

auto_escape — Overrides the compiler auto-escape setting within the block

Description

<?php
auto_escape(mixed $enabled)

Examples

Example #1, no escaping:

index.tpl
{$user="<a href=\"javascript:jsAttack()\">EvilTroll</a>"}
{$user}

The above example will output:

Interpreted as HTML by the browser
<a href="javascript:jsAttack()">EvilTroll</a>

Example #2, enable auto escaping:

index.tpl
{auto_escape on}
{$user} {* here any injected html is escaped so it's safe *}
{/auto_escape}

The above example will output:

Interpreted as text by the browser
&lt;a href="javascript:jsAttack()"&gt;EvilTroll&lt;/a&gt;