Cheat sheet

Quick reference if you just need to know how to escape stuff!

Do's and Don'ts

How to's:

In How do I handle... ? ... like this:

Smarty, html code




standard variable {$VARIABLE}
variable, but it's a HtmlString {$VARIABLE}
variable, but it's a string and already html

{$VARIABLE nofilter}

or

{$VARIABLE|rawhtml}

{capture} blocks

 

{capture assign="capname"}
  <div>.... html code {$VARIABLE} </div>
{capture}

{$capname nofilter}




Smarty,

inside <script>


string variable var myvar = '{$VARIABLE}';
object or array variable var mylist = {$VARIABLE|json_encode};
string inside url

var url = "index.php?module={$VARIABLE|escape:"url"}";




Smarty,

js in attributes

string variable

 

{* using escape in "javascript" mode *}
<span onclick="myFunction('{$PARAM|escape:"javascript"}')">Link</span>

{* using out VStr::toJs method *}
<span onclick="myFunction2('{VStr::toJs($PARAM)}')">Link2 </span>
string in url
<span onclick="location.href='index.php?mode={$MODPARAM|escape:"url"|escape:"javascript"};>Link 3</span>


Revision #2
Created 2026-01-23 15:29:18 UTC by m.maporti
Updated 2026-05-05 12:02:45 UTC by Daniele