Stop nunjucks from escaping HTML

I have a comments AJAX call which returns data of the posted comment, I also have @mention functionality built in, the server side is processing the @mentions and doing a str_replace on the mentioned users replacing their names with an a tag within the response, for example:

   data: {
      comment: "<a href=\"profile/derp\">Username</a> hey what's up"

However I can’t seem to find in the documentation how to allow nunjucks to print this as actual HTML, it escapes it and displays the code instead of letting it be a real a tag.

Does anyone know how I can allow this to be printed as an actual a tag?

OK so almost immediately after I posted this I found the answer! for anyone else looking it’s simply this; within your template where you’re printing your variable add the safe filter, which will disable automatic escaping.

{{ comment.content|safe }}

Although this means it’s vulnerable to XSS injection, so make sure you add your protection on the server side.

You can also avoid escaping globally using:

nunjucks.configure({ autoescape: false });

You could consider passing the comment’s meta data and letting the template create the HTML:

  <a href="{{ comment.user.url }}">{{ }}</a> {{ comment.text }}

Then pass the following meta data:

comment: {
  user: { url: "profile/derp", name: "Username" },
  text: "hey what's up"

The answers/resolutions are collected from stackoverflow, are licensed under cc by-sa 2.5 , cc by-sa 3.0 and cc by-sa 4.0 .
Read More:   JSON.Parse,'Uncaught SyntaxError: Unexpected token o [duplicate]

Similar Posts