html_attr docs are misleading / unclear

i had a discussion with some of my co workers about escaping strategies and when to use 'html_attr'.

from my point of view, we should add an example when to use `html_attr` instead of `html`.

The docs are saying that:

```
html: escapes a string for the HTML body context.
html_attr: escapes a string for the HTML attribute context.
```

# example 1

following the docs, this wouldn't be best practice, but it seems to be "fine".
https://github.com/twigphp/Twig/issues/2615#issuecomment-370008276

```jinja
{% set untrusted = 'untrusted' %}
<div class="{{ untrusted }}">{{ untrusted }}</a>
```

# example 2

if you stick to the docs this should be best practice?

```jinja
{% set untrusted = 'untrusted' %}
<div class="{{ untrusted | e('html_attr') }}">{{ untrusted }}</a>
```

is there any reason why *example1* is wrong?


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

html_attr docs are misleading / unclear #2817

example 1

example 2

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

html_attr docs are misleading / unclear #2817

Description

example 1

example 2

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions