level-level
Refactor render and echo twig for proper escaping on echo
In clarkson-core-templates.php the functions echo_twig, render_twig, echo_json and render_json need to be refactored, so that an escape can be done with the echo of the template.
$this->render_twig( $template_file, $objects, $ignore_warning );
echo $this->render_json( $objects );
Research how XWP renders templates: https://github.com/xwp/wp-vip-twig/blob/649703c3fcfea8f0f3dc6c8f35f17b110feba7ce/php/class-twig-environment.php#L103
The XWP wp-vip-twig plugin actually let's the theme echo the twig rendered content. As explained here: https://github.com/xwp/wp-vip-twig/blob/649703c3fcfea8f0f3dc6c8f35f17b110feba7ce/readme.txt#L28
Which means they are moving the problem to the theme. I don't think we want to do this.
The twig output is already escaped internally. See https://twig.symfony.com/doc/2.x/templates.html#html-escaping
Which means with proper twig usage the content will already be 'safe'. I think we can add an ignore line and should be OK.
Ok what about the moment the Twig escaping is to harsh and we call raw on something.
It looks like we always output object.get_content()|raw.
Don't we want escaping filter like wp_kses available in our Twig. https://codex.wordpress.org/Function_Reference/wp_kses
Timber reference: https://github.com/timber/timber/blob/2901f25d3a6fb3d13632989a8c0d3263389dc5cb/lib/Twig.php#L243
If so, we can rename this issue to :
Add some default WordPress escaping filters.
