Great for newcomers!
Just guessing, expect giving bad habbit to newcomers, why don't Symfony create a Response with this given string ?

@ScullWM allowing to return strings was discussed in the past (specially because "some frameworks" allow to do that). But it was decided to keep requiringResponse objects. At first it might be like a bad decision, but it helps newcomers realize that Symfony apps are always about HTTP Request/Response workflow. No matter if it's a silly "Hello World" app or the most complex app ever created. It's always the same: you are given a Request object and you must return a Response object.

That's why I think we should keep the current behaviour: if people learn about Request/Response soon, they will understand Symfony easier.

@javiereguiluz Is your master branch a bit outdated ? Because I made a patch recently that display a "better" trace that highlight the controller. And I can not see it on your screenshot.

Anyway, 👍 with this PR.

@lyrixx the code change and the screenshot were done in a Symfony 4.1 app and then I copied the code to the master branch 🙈

You can always create your own listener that transforms the string into a response. The SensioFrameworkExtraBundle does this for arrays with the@Template annotation.

I've updated this feature to trim long strings.

Before:

After:

About this other comment from Fabien (#27499 (comment)) I'm not sure how to solve it. Thanks!

Thanks to Twig's automatic escaping, I think we're good here. I've tested with some of the examples given by OWASP to prevent XSS (https://www.owasp.org/index.php/Testing_for_Reflected_Cross_site_scripting_(OTG-INPVAL-001)) and it looks like it's working:

Can anyone spot other "attack vectors" in this code? Thanks

Thank you@javiereguiluz.