PHPackages arthens/safe-translations - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Localization & i18n](/categories/localization) 4. / 5. arthens/safe-translations ActiveLibrary[Localization & i18n](/categories/localization) arthens/safe-translations ========================= Automatically escape variables when using Symfony Translations 1.2.0(5y ago)229.3k1MITPHPPHP >=5.6.0CI failing Since May 11Pushed 5y ago2 watchersCompare [ Source](https://github.com/arthens/safe-translations)[ Packagist](https://packagist.org/packages/arthens/safe-translations)[ RSS](/packages/arthens-safe-translations/feed)WikiDiscussions master Synced 1mo ago READMEChangelog (7)Dependencies (4)Versions (12)Used By (0) Safe Translations ================= [](#safe-translations) `arthens/safe-translations` is an extra security layer on top of [Symfony Translations](http://symfony.com/doc/current/book/translation.html). [![Build Status](https://camo.githubusercontent.com/02fdf962323b52cff7680270316d723940006872be2ecba58faea1398decd902/68747470733a2f2f7472617669732d63692e6f72672f61727468656e732f736166652d7472616e736c6174696f6e732e7376673f6272616e63683d6d6173746572)](https://travis-ci.org/arthens/safe-translations) Compatibility ------------- [](#compatibility) Version 1.0 is PHP 7.\* and Twig 2.\* only. Version 0.4 is the last version supporting PHP 5.\* and Twig 1.\* The problem ----------- [](#the-problem) [Twig](http://twig.sensiolabs.org/) is a great rendering library, and it's also awesome for protecting against [XSS](http://en.wikipedia.org/wiki/Cross-site_scripting) because all input is automatically escaped. For example, if you have the following template: `Hello %username%` and the user sets their username to `alert();` you can sleep safe, because Twig will automatically escape to: `Hello <script>alert();</script>` which is harmless. ### So what's the problem? [](#so-whats-the-problem) The problem is that when using Symfony Translations you lose this protection. The Twig template: `{% trans %}Hello %username%{% endtrans %}` is not safe to use because `username` will not be automatically escaped. You have to escape it yourself: `{% trans with {'%username%': username|e} %}Hello %username%{% endtrans %}` which means that your templates are unsecure by default, and it's now your responsability to remember to escape variables every time you use them. Not the end of the world, but wouldn't it be better if variables were automatically escaped like in Twig? Note: this problem only applies to tokens. If you use the `|trans` filter then you are ok, because everything is escaped (unless you also use `|raw`, in that case you have a problem). See [documentation note](https://symfony.com/doc/current/translation.html#translation-filters). My solution ----------- [](#my-solution) `arthens/safe-translations` defines 2 new Twig tokens: `{% safetrans %}` and `{% safetranschoice %}`. They work exactly like `{% trans %}` and `{% transchoice %}`, but variables are automatically escaped: `{% safetrans %}Hello %username%{% endsafetrans %}` will once again produce `Hello <script>alert();</script>` ### But what if I need to mix escaped and unescaped variables (e.g. inject HTML)? [](#but-what-if-i-need-to-mix-escaped-and-unescaped-variables-eg-inject-html) You can, you just have to use `|unescaped`: `{% trans with {'%message%': message|unescaped} %}Hello %username%, admin says: %message%{% endtrans %}` In this case `username` is escaped, and `message` is not. Installation ------------ [](#installation) - Add `arthens/safe-translations` to your `composer.json`. - Register `Arthens\SafeTranslation\Extension\SafeTransExtension` in your `Twig_Enviroment`. and you should be good to go (assuming that you have already configured Symfony Translations). FAQ --- [](#faq) #### 1. How can I automatically escape the variables when using Symfony Translations with Twig? [](#1-how-can-i-automatically-escape-the-variables-when-using-symfony-translations-with-twig) Use `{% safetrans %}` and `{% safetranschoice %}`. #### 2. What options do `safetrans` and `safetranschoice` support? [](#2-what-options-do-safetrans-and-safetranschoice-support) They are built on top of Symfony Translations, and they support iexactly the same options. See [Symfony Translations](http://symfony.com/doc/current/book/translation.html) #### 3. How do I extract the strings from my template? [](#3-how-do-i-extract-the-strings-from-my-template) Use the standard Symfony Extractor. (Under the hood `arthens/safe-translations` extends Symfony's `TransNode`, which means that from the point of view of the extractor there's no different between `trans` and `safetrans`). #### 4. Why do I need to use `|unescaped`? Can't it guess it from the context? [](#4-why-do-i-need-to-use-unescaped-cant-it-guess-it-from-the-context) Not yet. Symfony Translations and Twig are quite different, and I couldn't find a way to do it automagically. This might change with future versions. Pull requests are welcome. #### 5. Is this production ready? [](#5-is-this-production-ready) [99designs](https://99designs.com) has been using it in production since 2013. ### Health Score 35 — LowBetter than 79% of packages Maintenance20 Infrequent updates — may be unmaintained Popularity28 Limited adoption so far Community12 Small or concentrated contributor base Maturity65 Established project with proven stability Bus Factor1 Top contributor holds 82.4% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~356 days Recently: every ~398 days Total 8 Last Release 1891d ago Major Versions 0.4 → 1.02017-03-06 PHP version history (2 changes)0.1PHP >=5.3.2 1.0PHP >=5.6.0 ### Community Maintainers ![](https://www.gravatar.com/avatar/6d43d23630fc281c26ff5872d03d054e1508b5676eeefee1424464ab5c0f00e4?d=identicon)[arthens](/maintainers/arthens) --- Top Contributors [![arthens](https://avatars.githubusercontent.com/u/1178572?v=4)](https://github.com/arthens "arthens (14 commits)")[![tamoore](https://avatars.githubusercontent.com/u/11851685?v=4)](https://github.com/tamoore "tamoore (2 commits)")[![Gemorroj](https://avatars.githubusercontent.com/u/885731?v=4)](https://github.com/Gemorroj "Gemorroj (1 commits)") ### Code Quality TestsPHPUnit ### Embed Badge ![Health badge](/badges/arthens-safe-translations/health.svg) ``` [![Health](https://phpackages.com/badges/arthens-safe-translations/health.svg)](https://phpackages.com/packages/arthens-safe-translations) ``` ### Alternatives [easycorp/easyadmin-bundle Admin generator for Symfony applications 4.3k16.7M310](/packages/easycorp-easyadmin-bundle)[shopware/platform The Shopware e-commerce core 3.3k1.5M3](/packages/shopware-platform)[sulu/sulu Core framework that implements the functionality of the Sulu content management system 1.3k1.3M152](/packages/sulu-sulu)[jms/translation-bundle Puts the Symfony Translation Component on steroids 42510.8M63](/packages/jms-translation-bundle)[contao/core-bundle Contao Open Source CMS 1231.6M2.4k](/packages/contao-core-bundle)[shopware/core Shopware platform is the core for all Shopware ecommerce products. 595.2M386](/packages/shopware-core) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)