Ok, I changed to Controller Templates. $data['query'] = Model_Artists::find('all'); $this->template->contents = View::forge('welcome/artists', $data)->auto_filter(false)->render(); The html is still showing as <h2> and not decoding.
Fuel's security model is "encode on output", unlike most other frameworks (like CI), which do "strip on input". We don't like that, as that means you may loose data before you have a chance to get hold of it.
So if you render or otherwise create HTML in your controller, it will be encoded when you send it to the view to avoid html or javascript injection. A View object is whitelisted from this process in your application config file.
Database data, like from ORM objects you pass to views, is encoded at the moment you reference it in a view, so even if your db contains some injected javascript, it will be rendered harmless by this process.
Donate
