Question

53

Stop nunjucks from escaping HTML

rated 0 times [ 56] [ 3] / answers: 1 / hits: 16787 / 9 Years ago, sat, april 25, 2015, 12:00:00

I have a comments AJAX call which returns data of the posted comment, I also have @mention functionality built in, the server side is processing the @mentions and doing a str_replace on the mentioned users replacing their names with an a tag within the response, for example:

{

   data: {

      comment: <a href=profile/derp>Username</a> hey what's up

   }

}

However I can't seem to find in the documentation how to allow nunjucks to print this as actual HTML, it escapes it and displays the code instead of letting it be a real a tag.

Does anyone know how I can allow this to be printed as an actual a tag?

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

trayvon

Add To Favorites

Follow

Total Points: 35

Total Questions: 117

Total Answers: 88

Location: Guernsey

Member since Tue, Jul 6, 2021

3 Years ago

answered 9 Years ago kylanalis · Accepted Answer

OK so almost immediately after I posted this I found the answer! for anyone else looking it's simply this; within your template where you're printing your variable add the safe filter, which will disable automatic escaping.

{{ comment.content|safe }}

Although this means it's vulnerable to XSS injection, so make sure you add your protection on the server side.