{safe:text}

Description

Escapes the five HTML-special characters in text so it can be placed safely into HTML output: & becomes &, < becomes <, > becomes >, double quote becomes ", and single quote becomes '. This is AA wrapper around PHP htmlspecialchars (flags ENT_QUOTES and ENT_HTML5), so quotes of both kinds are escaped - making it safe inside attribute values and textarea content as well as in element text. It is a plain escape, not entity-aware: it does NOT skip text that is already encoded, so an existing & is turned into &amp;. Use it whenever you print untrusted or user-entered values into a page to prevent broken markup and HTML/script injection. The deprecated alias {htmlspecialchars:...} produces identical output; prefer {safe:...} in new templates.

Parameters

text required default (empty string)

The string to escape. Any value works - literal text, a field getter, or the result of another expression. Empty input yields empty output.

Examples

test{safe:Press release 2026}
ExpectedPress release 2026
ActualPress release 2026
When there are no special characters, the text is returned unchanged.
test{safe:Tom & Jerry}
ExpectedTom & Jerry
ActualTom & Jerry
A bare & would start an HTML entity; safe turns it into the literal &amp;.
test[{safe:<b>Bold</b>}]
Expected[<b>Bold</b>]
Actual[<b>Bold</b>]
Tags become text: < and > are escaped so the browser prints them instead of rendering markup. The brackets here just frame the output.
test{safe:Search "news"}
ExpectedSearch "news"
ActualSearch "news"
Double quotes become &quot; - needed when the value sits inside a double-quoted HTML attribute.
test{safe:rock 'n' roll}
Expectedrock 'n' roll
Actualrock 'n' roll
Because safe uses ENT_QUOTES with ENT_HTML5, the apostrophe is escaped to &apos; (not &#039;).
test{safe:x" onmouseover="alert(1)}
Expectedx" onmouseover="alert(1)
Actualx" onmouseover="alert(1)
Printing an unescaped value into a double-quoted attribute lets an attacker close the quote and inject handlers. safe escapes the quotes so the payload stays inert text. In a template you would write it as value=\"{safe:_#FIELD}\".
test{safe:&amp;}
Expected&amp;
Actual&amp;
safe is a plain escape, not entity-aware: an existing &amp; is re-escaped to &amp;amp;. Apply safe once, to raw values only - never to text that is already HTML.
test{safe:<a href="?q=1&p=2">A & B</a>}
Expected<a href="?q=1&p=2">A & B</a>
Actual<a href="?q=1&p=2">A & B</a>
The canonical use: escape user-entered or stored markup so it shows as source (e.g. inside a textarea or a code preview) instead of being parsed. Every special character is converted in one pass.
← All expressions