To reduce the risk of cross-site scripting attacks, templating systems, such as ``++Twig++``, ``++Django++``, ``++Smarty++``, ``++Groovy's template engine++``, allow configuration of automatic variable escaping before rendering templates. When escape occurs, characters that make sense to the browser (eg: <a>) will be transformed/replaced with escaped/sanitized values (eg: & lt;a& gt; ).
Auto-escaping is not a magic feature to annihilate all cross-site scripting attacks, it depends on https://twig.symfony.com/doc/3.x/filters/escape.html[the strategy applied] and the context, for example a "html auto-escaping" strategy (which only transforms html characters into https://developer.mozilla.org/en-US/docs/Glossary/Entity[html entities]) will not be relevant when variables are used in a https://en.wikipedia.org/wiki/HTML_attribute[html attribute] because '``++:++``' character is not escaped and thus an attack as below is possible:
