VHost Templating using Twig #435
Draft
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
I will come back to this later but why would we twig while we have blade? |
|
Security. Blade is great for static templates, but for dynamic templates, we don't want the "power" of blade and it's php + other elevated directives. Twig is lightweight and secure, and works without needing to "hack" out any unsecure functions. |
|
Will pause on this one until we've had the opportunity to discuss further. Feel free to message/call me on Discord when you are available. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Allows dynamic VHost configuration using Twig template engine.
This means a single VHost template can be used, and it supports all languages, HTTP/HTTPS and forced HTTPS without wiping out the users changes each deploy/change.
Process Flow
Site Creation
Update VHost
Task List
Resolves #303
Design Decisions
Twig vs Blade
When users need to create or edit templates in PHP/Laravel apps, Twig is generally the safer choice than Blade because it runs in a protected environment and lets you control exactly what users can access. Unlike Blade, which allows direct PHP execution and unrestricted access to functions and variables, Twig keeps things locked down by default.
Sandboxing
Twig is designed with sandboxing in mind and can strictly control what users can do in templates
Blade is designed to be a full-featured template engine with access to PHP, making it riskier for user templates
PHP Access
Twig by default doesn't allow any PHP execution
Blade allows direct PHP execution with php directives, making it dangerous for user templates, it's not trivial to disable this
Function Access
Twig lets you explicitly whitelist which functions users can access
Blade has access to all PHP functions by default, which is a major security risk for user provided/edited templates
Variable Handling
Twig implements a strict system where variables must be explicitly passed to templates and undefined variables trigger errors by default. In contrast, Blade offers a more flexible approach, allowing direct access to any variables within the current scope, including global variables, and takes a more permissive stance when dealing with undefined variables.