Commit 4105b556 authored by alexpott's avatar alexpott

Issue #2528284 by cilefen, dawehner, Cottser, David_Rothstein: Document that...

Issue #2528284 by cilefen, dawehner, Cottser, David_Rothstein: Document that alternate Drupal 8 theme engines must implement auto-escape or they are not secure
parent d6caa271
......@@ -765,6 +765,12 @@ function hook_extension() {
/**
* Render a template using the theme engine.
*
* It is the theme engine's responsibility to escape variables. The only
* exception is if a variable implements
* \Drupal\Component\Render\MarkupInterface. Drupal is inherently unsafe if
* other variables are not escaped. The helper function
* theme_render_and_autoescape() may be used for this.
*
* @param string $template_file
* The path (relative to the Drupal root directory) to the template to be
* rendered including its extension in the format 'path/to/TEMPLATE_NAME.EXT'.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment