benanamen Posted August 8, 2016 Share Posted August 8, 2016 (edited) Security is the biggest problem when misusing PHP as a template engine. A “PHP template” is technically a full-blown application which may do absolutely anything: issue shell commands, write files, communicate with other hosts. Why on earth should a template have this power? Its sole purpose is to generate HTML, so it shouldn't do anything other than that. After reading many comments from @Jaques1 on using Twig and especially the quoted post by him I decided to learn Twig which is actually very easy to use. My question is, since anyone can view the template/twig source, is there any security issues with that? Also, what is the proper file extension for a twig template? I have seen .twig, .htm, .html. .phtml, .tpl and more. Edited August 8, 2016 by benanamen Quote Link to comment https://forums.phpfreaks.com/topic/301787-twig-security/ Share on other sites More sharing options...
Jacques1 Posted August 8, 2016 Share Posted August 8, 2016 (edited) My question is, since anyone can view the template/twig source, is there any security issues with that? Why can anyone view the templates? If you're storing them inside the document root, don't. The templates aren't meant for the end user, so there's no reason to publish them. Ideally, there shouldn't be any security issues, just like it shouldn't be a problem to publish the entire source code (without the configuration) on GitHub. But maybe there's still a piece of information somewhere which you don't want the whole world to see. Also, what is the proper file extension for a twig template? I have seen .twig, .htm, .html. .phtml, .tpl and more. Technically, you can use any extension you want, it doesn't matter. I wouldn't necessarily use ".html", because that makes it look like the file is static HTML. But ".twig" or ".tpl" are fine. I tend to use ".twig", because it's a pre-registered extension for Twig in PhpStorm. Edited August 8, 2016 by Jacques1 Quote Link to comment https://forums.phpfreaks.com/topic/301787-twig-security/#findComment-1535767 Share on other sites More sharing options...
benanamen Posted August 8, 2016 Author Share Posted August 8, 2016 Thank @Jaques1, Outside the root is perfect. Just didn't know how twig is generally handled. I guess a template is a template in regards to where to store it. My editor (Webuilder) also supports .twig plus it clearly identifies the file is not only a template, but a twig template. One other thing, does auto escaping default to on? Couldn't quite grasp it from the docs. Quote Link to comment https://forums.phpfreaks.com/topic/301787-twig-security/#findComment-1535774 Share on other sites More sharing options...
Jacques1 Posted August 8, 2016 Share Posted August 8, 2016 One other thing, does auto escaping default to on? Yes, but I'd enable it anyway and also set the character encoding: Twig environment options Quote Link to comment https://forums.phpfreaks.com/topic/301787-twig-security/#findComment-1535794 Share on other sites More sharing options...
gizmola Posted August 10, 2016 Share Posted August 10, 2016 Twig code is compiled into php code, at least when used in a symfony project. There is absolutely no way you should have twig template files under the web root as Jacques commented earlier. Quite frankly with a front controller, there is really no code other than the front controller and static assets that should go under the webroot. 2 Quote Link to comment https://forums.phpfreaks.com/topic/301787-twig-security/#findComment-1535873 Share on other sites More sharing options...
ignace Posted August 11, 2016 Share Posted August 11, 2016 Twig code is compiled into php code, at least when used in a symfony project. It's always compiled to PHP. When debug is enabled, it's re-compiled on each load. Turn debug off during development and none of your changes will come trough. Quote Link to comment https://forums.phpfreaks.com/topic/301787-twig-security/#findComment-1535920 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.