Escaping is important in all languages, including LiquidJS. Escaping has two different meanings for a template engine:
- Escaping for the output, i.e. HTML escape. Used to escape HTML special characters so the output will not break HTML structures, aka HTML safe.
- Escaping for the language itself, i.e. Liquid escape. Used to output strings that are considered special in the Liquid language. This is useful when you’re writing an article in a Liquid template to introduce the Liquid language.
HTML Escape
By default output is not escaped. While you can use escape filter for this:
Input
{{ "1 < 2" | escape }}Output
1 < 2There’s also escape_once, newline_to_br, strip_html filters for you to fine tune your output.
In cases where variables are mostly not trusted, outputEscape can be set to "escape" to apply escape by default. In this case, when you need some output not to be escaped, raw filter can be used:
Input
{{ "1 < 2" }}
{{ "<button>OK</button>" | raw }}Output
1 < 2
<button>OK</button>Liquid Escape
To disable Liquid language and output strings like {{ and {%, the raw tag can be used.
Input
{% raw %}
In LiquidJS, {{ this | escape }} will be HTML-escaped, but
{{{ that }}} will not.
{% endraw %}Output
In LiquidJS, {{ this | escape }} will be HTML-escaped, but
{{{ that }}} will not.Within string literals in a LiquidJS template, \ can be used to escape special characters in string syntax. For example:
Input
{{ "\"" }}Output
"