On the best practices pages, there is a section about twig extensions.

https://github.com/symfony/symfony-docs/blob/master/best_practices/templates.rst

In the getFilters() method is_safe is set to array('html'). According to the twig documentation; "If your filter acts as an escaper (or explicitly outputs HTML or JavaScript code), you will want the raw output to be printed. In such a case, set the is_safe option:".

public function getFilters()
    {
        return array(
            new \Twig_SimpleFilter(
                'md2html',
                array($this, 'markdownToHtml'),
                array('is_safe' => array('html'))
            ),
        );
    }

If someone new to symfony reads this (they probably are if they are just reading the best practices for the first time) this would probably use the new filter like this:

{{ comment.body|md2html }}

This is a security issue if the comments body contains user inputted data. With the snippet above, no escaping is automatically performed. The proper way to use it would be like this:

{{ comment.body|escape|md2html }}

Another option would be to add some form of escaping in the extension. You could use the symfony escaper (probably prefered, don't know how to do that though, or enable esaping in parsedown ( https://github.com/erusev/parsedown/wiki/Tutorial:-Get-Started ).

Either way, i think this should be documented and explained in the best practices documentation. Right now there is no explaination about is_safe or any usage example.

There are probably many ways to solve this like adding a usage example that uses {{ comment.body|escape|md2html }} and explains why you have to escape or leave that out and just have some sort of warning-text that tells the reader about the issue and the possible solutions.

I can update the documentation, but i'm not sure what kind of change would be preferred.