Autoescaping is turned on by default. You can mark a section of a template to be escaped or not by using the autoescape tag:
{% autoescape %}
Everything will be automatically escaped in this block
using the HTML strategy
{% endautoescape %}
{% autoescape 'html' %}
Everything will be automatically escaped in this block
using the HTML strategy
{% endautoescape %}
{% autoescape 'js' %}
Everything will be automatically escaped in this block
using the js escaping strategy
{% endautoescape %}
{% autoescape false %}
Everything will be outputted as is in this block
{% endautoescape %}
When automatic escaping is enabled everything is escaped by default except for values explicitly marked as safe. Those can be marked in the template by using the raw filter:
{% autoescape %}
{{ safe_value | raw }}
{% endautoescape %}
Functions and tags returning template data (like macro and parent) always return safe markup. Canvas is smart enough to not escape an already escaped value by the escape filter.
Canvas does not escape static expressions:
{% set hello = '<strong>Hello</strong>' %}
{{ hello }}
{{ '<strong>world</strong>' }}
Will be rendered as "<strong>Hello</strong> world".