Jump to content

TWIG Security


benanamen

Recommended Posts

Security is the biggest problem when misusing PHP as a template engine. A “PHP template” is technically a full-blown application which may do absolutely anything: issue shell commands, write files, communicate with other hosts. Why on earth should a template have this power? Its sole purpose is to generate HTML, so it shouldn't do anything other than that.

 

After reading many comments from @Jaques1 on using Twig and especially the quoted post by him I decided to learn Twig which is actually very easy to use.

 

My question is, since anyone can view the template/twig source, is there any security issues with that? Also, what is the proper file extension for a twig template? I have seen .twig, .htm, .html. .phtml, .tpl and more.

Edited by benanamen
Link to comment
Share on other sites

My question is, since anyone can view the template/twig source, is there any security issues with that?

 

Why can anyone view the templates? If you're storing them inside the document root, don't. The templates aren't meant for the end user, so there's no reason to publish them.

 

Ideally, there shouldn't be any security issues, just like it shouldn't be a problem to publish the entire source code (without the configuration) on GitHub. But maybe there's still a piece of information somewhere which you don't want the whole world to see.

 

 

 

Also, what is the proper file extension for a twig template? I have seen .twig, .htm, .html. .phtml, .tpl and more.

 

Technically, you can use any extension you want, it doesn't matter. I wouldn't necessarily use ".html", because that makes it look like the file is static HTML. But ".twig" or ".tpl" are fine. I tend to use ".twig", because it's a pre-registered extension for Twig in PhpStorm.

Edited by Jacques1
Link to comment
Share on other sites

Thank @Jaques1,

Outside the root is perfect. Just didn't know how twig is generally handled. I guess a template is a template in regards to where to store it. My editor (Webuilder) also supports .twig plus it clearly identifies the file is not only a template, but a twig template.

 

One other thing, does auto escaping default to on? Couldn't quite grasp it from the docs.

Link to comment
Share on other sites

Twig code is compiled into php code, at least when used in a symfony project. There is absolutely no way you should have twig template files under the web root as Jacques commented earlier. Quite frankly with a front controller, there is really no code other than the front controller and static assets that should go under the webroot.

  • Like 2
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.