Stop nunjucks from escaping HTML

javascript template-engine nunjucks

André Figueira · Apr 25, 2015 · Viewed 11.3k times · Source

I have a comments AJAX call which returns data of the posted comment, I also have @mention functionality built in, the server side is processing the @mentions and doing a str_replace on the mentioned users replacing their names with an a tag within the response, for example:

{
   data: {
      comment: "<a href=\"profile/derp\">Username</a> hey what's up"
   }
}

However I can't seem to find in the documentation how to allow nunjucks to print this as actual HTML, it escapes it and displays the code instead of letting it be a real a tag.

Does anyone know how I can allow this to be printed as an actual a tag?

Answer

OK so almost immediately after I posted this I found the answer! for anyone else looking it's simply this; within your template where you're printing your variable add the safe filter, which will disable automatic escaping.

{{ comment.content|safe }}

Although this means it's vulnerable to XSS injection, so make sure you add your protection on the server side.

Stop nunjucks from escaping HTML

Answer

Related questions