Auto-escape Mode

Raw variable: <b>Scott</b>

User input (auto-escaped): <script>alert('XSS')</script>

Trusted HTML with |raw: Safe HTML

Chained with |escape (no double-escape): <script>alert('XSS')</script>

Chained with |strtoupper then auto-escaped: <B>SCOTT</B>