TWIG Security

[benanamen]

Security is the biggest problem when misusing PHP as a template engine. A “PHP template” is technically a full-blown application which may do absolutely anything: issue shell commands, write files, communicate with other hosts. Why on earth should a template have this power? Its sole purpose is to generate HTML, so it shouldn't do anything other than that.

 

After reading many comments from @Jaques1 on using Twig and especially the quoted post by him I decided to learn Twig which is actually very easy to use.

 

My question is, since anyone can view the template/twig source, is there any security issues with that? Also, what is the proper file extension for a twig template? I have seen .twig, .htm, .html. .phtml, .tpl and more.

Edited August 8, 2016 by benanamen

[Jacques1]

My question is, since anyone can view the template/twig source, is there any security issues with that?

 

Why can anyone view the templates? If you're storing them inside the document root, don't. The templates aren't meant for the end user, so there's no reason to publish them.

 

Ideally, there shouldn't be any security issues, just like it shouldn't be a problem to publish the entire source code (without the configuration) on GitHub. But maybe there's still a piece of information somewhere which you don't want the whole world to see.

 

 

 

Also, what is the proper file extension for a twig template? I have seen .twig, .htm, .html. .phtml, .tpl and more.

 

Technically, you can use any extension you want, it doesn't matter. I wouldn't necessarily use ".html", because that makes it look like the file is static HTML. But ".twig" or ".tpl" are fine. I tend to use ".twig", because it's a pre-registered extension for Twig in PhpStorm.

Edited August 8, 2016 by Jacques1

[benanamen]

Thank @Jaques1,

Outside the root is perfect. Just didn't know how twig is generally handled. I guess a template is a template in regards to where to store it. My editor (Webuilder) also supports .twig plus it clearly identifies the file is not only a template, but a twig template.

 

One other thing, does auto escaping default to on? Couldn't quite grasp it from the docs.

[Jacques1]

One other thing, does auto escaping default to on?

 

Yes, but I'd enable it anyway and also set the character encoding: Twig environment options

[gizmola]

Twig code is compiled into php code, at least when used in a symfony project. There is absolutely no way you should have twig template files under the web root as Jacques commented earlier. Quite frankly with a front controller, there is really no code other than the front controller and static assets that should go under the webroot.

[ignace]

Twig code is compiled into php code, at least when used in a symfony project.

It's always compiled to PHP. When debug is enabled, it's re-compiled on each load.

Turn debug off during development and none of your changes will come trough.