The Phalcon documentation mentions how to autoescape with a filter |e
or through autoescape-mode {% autoescape true %}
. But Twig has autoescaping enabled by default and lets you pass it as an option to the Twig Environment object. So in Twig you can control autoescaping globally for your app.
Does Phalcon provide the same posibility? I really couldn't find this answer on Google and my C-knowledge is non-existent.
Yeah this might be a problem because AFAIK in Volt's implementation escaping is made to deal with blocks or expressions, so it might be hard to determine what you should scape.
IMHO, the easier way to achieve this is by customizing the compiler to escape the expression only if the value is coming from a external source, like a variable or method return. So... the answer is basically no, Volt can't do that. But indeed this would be an excellent NRF to the framework.
EDIT
Thinking a bit more about the problem I've realized that I do something similar in my application. Data exchange in CRUD operations are mostly a cycle between 'forms', controllers and persistence and besides all helpers provided by Phalcon (from the ORM to the Form abstractions) we need to apply some conventions to automatize even more our CRUD operations that are basically the same most of time.
So I have two components that helps me out in fetching model data from forms and another one to help with model data from my database. In both of these components value conversions, filters and validations are called automatically on each operation.
I'm saying that because the default filter for strings is the string escape. What I mean is that you might have better results if worrying about data sanitization at any data input to your controllers (i.e. from forms or the database). As bonus you get more consistent and strong typed values in your models to make your business logic implementations much simpler.