bootApp(); } public function testAutoescapeStrategyIsExplicitlyHtml(): void { /** @var Twig $twig */ $twig = $this->container->get(Twig::class); $escaper = $twig->getEnvironment()->getExtension(EscaperExtension::class); // `getDefaultStrategy` takes the template name; for the // pinned `'html'` policy it returns the strategy regardless // of name. self::assertSame('html', $escaper->getDefaultStrategy('any.twig')); self::assertSame('html', $escaper->getDefaultStrategy('pages/login.twig')); } public function testRenderedTemplateAutoescapesUserInput(): void { // Defence-in-depth: render a string with a script tag through // `{{ value }}` and confirm the output is HTML-escaped. The // unit test above pins the configured strategy; this one // proves the pipeline actually applies it. /** @var Twig $twig */ $twig = $this->container->get(Twig::class); $env = $twig->getEnvironment(); $env->setLoader(new \Twig\Loader\ArrayLoader([ 'inline.twig' => 'value=[{{ value }}]', ])); $rendered = $env->render('inline.twig', ['value' => '']); self::assertSame( 'value=[<script>alert(1)</script>]', $rendered, ); } }