This is what the documentation says:
All is done automatically, consistently and correctly. You don't have to worry about security holes.
This is simply not true. What if you write this:
<a href="javascript:{$variable}">...</a>
Which way is automatically consistently correct? JS code inside HTML attribute, or JS value inside HTML attribute?
And will it differ from this?:
<a href="javascript:alert({$variable})">...</a>
The coder still has to know, how the value should be dealt with and in Latte, he or she also has to know the default behavior of the engine.
If the engine treats everything as an HTML by default, the code is more explicit and less magic:
<a href="javascript:{{ code }}">...</a>
<a href="javascript:alert({{ value | escape('js') }})">...</a>
Engine | You have to worry about context | You have to worry about engine's behavior in the context |
---|---|---|
Latte | ✅ | ✅ |
Twig | ✅ | ❌ |
Blade | ✅ | ❌ |
It cannot be used in HTML comments and inside SCRIPT and STYLE elements.