twig

The flexible, fast, and securetemplate engine for PHP
and
Drupal 8

overview

  • Twig in general
  • Why twig in Drupal 8
  • Twig's solutions to Drupal's problem
  • Current state of the project and conclusion

twig in general

  • Used in Symfony and other projects
  • Twig isnot Symfony component
  • Inspired by Django, originally by Armin Ronacher, via and maintained by Fabien Potencier.
{{ var }}
{{ var|escape }}
{{ var|e }}         {# shortcut to escape a variable #}
Template oriented syntax: Twig has shortcuts for common patterns, like having a default text displayed when you iterate over an empty array:
{% for user in users %}
    * {{ user.name }}
{% else %}
    No users have been found.
{% endfor %}

Full Featured: Twig supports everything you need to build powerful templates with ease: multiple inheritance, blocks, automatic output-escaping, and much more:

{% extends "layout.html" %}

{% block content %}
    Content of the page...
{% endblock %}

LANGUAGE FEATURE

  • control structure
  • tests
  • variables
  • logic
  • math

control structure

{% for topic, messages in topics %}
    * {{ loop.index }}: {{ topic }}
  {% for message in messages %}
      - {{ loop.parent.loop.index }}.{{ loop.index }}: {{ message }}
  {% endfor %}
{% endfor %}
The output will similar to
* 1: topic1
  - 1.1: The message 1 of topic 1
  - 1.2: The message 2 of topic 1
* 2: topic2
  - 2.1: The message 1 of topic 2
  - 2.2: The message 2 of topic 2

VARIABLE

        {{ foo.bar }}
    

    {{ foo
    [
    'bar'
    ] }}


    {# equivalent to the non-working foo.data-foo #}
    
        
{{ attribute
        (
        foo
        , 'data-foo'
        ) }}

For convenience sake foo.bar does the following things on the PHP layer:

  • check if foo is an array and bar a valid element;
  • if not, and if foo is an object, check that bar is a valid property;
  • if not, and if foo is an object, check that bar is a valid method (even if bar is the constructor - use __construct() instead);
  • if not, and if foo is an object, check that getBar is a valid method;
  • if not, and if foo is an object, check that isBar is a valid method;
  • if not, return a null value.
foo['bar'] on the other hand only works with PHP arrays:

  • check if foo is an array and bar a valid element;
  • if not, return a null value.

  • extends
  • include
  • use
  • block

TWig in Drupal 8

PHP is a template language?

Yes, but

<?php echo $var; // How to prevent XSS attach here??>
It can solve by:
<?php echo htmlspecialchars($var, ENT_QUOTES, 'UTF-8') ?>

But's how about:

<?php db_query('DROP TABLE {node}');?>
<?php unlink('public://myfile.pdf');?>


PHP template is insecure


<?php db_query('DROP TABLE {node}');?>

It isnot possible in Twig

Twig  - Security

  • Autoescape by default
  • Sandbox

Lost of difference ways to address variables

  1. PHP Template:
  • $foo['bar']
  • $foo->bar
  • $foo->getBar()
  • $foo->isBar()
  • Twig
    • {{foo.bar}}

    The way to create markup

    theme_admin_view()

    admin-view.tpl.php


    Twig:

    admin-view.html.twig

    Too many and too cluttered templates


    IN PROGRESS

    QUESTION


    Sang Le Thanh
    twitter: sanglt
    mail: le@thanhsang.me
    Made with Slides.com