javascripttemplate-enginenunjucks

Stop nunjucks from escaping HTML


I have a comments AJAX call which returns data of the posted comment, I also have @mention functionality built in, the server side is processing the @mentions and doing a str_replace on the mentioned users replacing their names with an a tag within the response, for example:

{
   data: {
      comment: "<a href=\"profile/derp\">Username</a> hey what's up"
   }
}

However I can't seem to find in the documentation how to allow nunjucks to print this as actual HTML, it escapes it and displays the code instead of letting it be a real a tag.

Does anyone know how I can allow this to be printed as an actual a tag?


Solution

  • OK so almost immediately after I posted this I found the answer! for anyone else looking it's simply this; within your template where you're printing your variable add the safe filter, which will disable automatic escaping.

    {{ comment.content|safe }}
    

    Although this means it's vulnerable to XSS injection, so make sure you add your protection on the server side.