You can use HTML in TWIG variables, but you must explicitly allow it using the safe_html filter. This ensures security is maintained.
Why doesn’t HTML work directly in TWIG?
Aivie has tightened security measures, restricting the processing of HTML in TWIG variables. The reason is that uncontrolled HTML can pose a security risk, for example, through embedded JavaScript or external content.
Therefore, the following now applies:
- Functions like
|raware no longer allowed - No direct HTML tags via tokens
- Only secure, controlled output via allowed TWIG functions
Solution: Use the safe_html filter
To continue using HTML, a new TWIG filter is available: safe_html.
This filter allows a defined list of secure HTML tags. This way, you can still use structured content such as tables, formatting, or simple layouts.
The following are not allowed, for example:
- JavaScript
- iFrames
- Images
- External content with potential risk
The allowed HTML elements are based on the official sanitizer list (MDN HTML Sanitizer API).
Example
Here is how you can correctly output HTML in a TWIG variable:
<td valign="top" style="width: 100%">
{{ item.name | safe_html }}
</td>
Important: The filter must be applied wherever HTML is expected.
What else has been improved?
- Direct viewing and editing of TWIG in the email, landing page, and dynamic content editor
- The code editor in the Aivie Builder now supports TWIG natively (linting, type-ahead, formatting, snippets)
- Improved preview of TWIG content
Conclusion
HTML tags are possible in TWIG, but only in a controlled manner via the safe_html filter. This allows you to combine flexibility with security and avoid risks from insecure code.
