Depends on #1996910: Add context to system filters

Since Twig is now in core, and with the above patch, giving the ability to filter using the Twig rendering engine will give the power of the PHP filter without the security implications.

With Twig with have control blocks, i.e. if, for, etc that give so much power in how the content will be rendered.

So an example in a Commerce module instead of creating a token to display all the items purchased, these can be rendered individually.

{% for item in transaction.items %}
{{ item.title }} {{ item.cost }}
{% endfor %}

Or even when sending a email when the user is created. we could add a list of roles

{% spaceless %}
{% for role in account.roles %}
{{ role.name }} 
{% endfor %}
{% endspaceless %}

This is extremely powerful, and is already built into Drupal 8, so adding the ability to filter by this is something that should be also done.

CommentFileSizeAuthor
#15 drupal9.filter-module.1996922-14.patch2.5 KBgordon
#14 drupal9.filter-module.1996922-14.patch53 bytesgordon
#11 0002-Add-new-Twig-filter.patch2.48 KBgordon
#8 0002-Add-new-Twig-filter.patch2.45 KBgordon
#2 0002-Add-new-Twig-filter.patch2.37 KBgordon
#1 0002-Add-new-Twig-filter.patch2.58 KBgordon
0002-Add-new-Twig-filter.patch1.59 KBgordon
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

gordon’s picture

gordon CreditAttribution: gordon commented
FileSize
0002-Add-new-Twig-filter.patch2.58 KB

I have updated the twig filter to work with the new filtering system

Also I have found that the twig filter will work in a WYSIWYG editor unlike the php filter which doesn't

gordon’s picture

gordon CreditAttribution: gordon commented
FileSize
0002-Add-new-Twig-filter.patch2.37 KB

Minor cleanup

cweagans’s picture

cweagans
He/Him
Primary language English
Location Boise, ID, USA
CreditAttribution: cweagans commented

It seems to me that this would be best left to contrib.

gordon’s picture

gordon CreditAttribution: gordon commented

Actually if you take a look at this, the core of this is about 4 lines.

Twig itself is in core, and this is really a small change, also using Twig makes much more sense than using the PHP filter in core.

I already have this as a contrib module for D7 http://drupal.org/sandbox/gordon/1991592 (just waiting on a patch to the entity module)

Also given that Twig allows for controlling flow within the text which no other filter can do except the PHP filter and doesn't have the inherited security issues.

I will not be disappointed it this ends up in contrib, but I feel makes more sense in core.

But this does depend on #1996910: Add context to system filters which I feel is much more important to get into core.

cweagans’s picture

cweagans
He/Him
Primary language English
Location Boise, ID, USA
CreditAttribution: cweagans commented

It doesn't matter how many lines it is. If you're entering PHP/Twig code from the UI, you're doing it wrong. Period.

gordon’s picture

gordon CreditAttribution: gordon commented

I agree that PHP should be discouraged, In fact with Twig being avaliable I think that the PHP filter should be removed from core.

Twig is completely secure, and sandboxed, so no matter what a user can do they cannot access anything we do not let them.

Here is an extract from the Twig home page

Secure: Twig has a sandbox mode to evaluate untrusted template code. This allows Twig to be used as a template language for applications where users may modify the template design.
Flexible: Twig is powered by a flexible lexer and parser. This allows the developer to define its own custom tags and filters, and create its own DSL.

This is why we chose it for the new templating engine, and I beleive this makes sense to be a filter in core. Give us huge functionality with none of the draw backs that the PHP filter gives us.

cweagans’s picture

cweagans
He/Him
Primary language English
Location Boise, ID, USA
CreditAttribution: cweagans commented

This is not a matter of security. If you can write code, do it in a code editor and put it in the appropriate place in the filesystem. We absolutely should not make it easy to do it wrong.

gordon’s picture

gordon CreditAttribution: gordon commented
FileSize
0002-Add-new-Twig-filter.patch2.45 KB

You can't always push these things into code, creating complex mail templates is always a pain, or even in modules like rules where you are giving users access to PHP for complex templates output being able to get a middle ground in using Twig will allow for so much, but without being able to kill your site is so much better.

Sometimes doing it in code is just going to take too long esp when you have a major deadline, so having Twig avaliable means you have a good middle ground, the power of PHP without the problems associated with it.

Also I have updated the patch to stop broken Twig syntax from bring down the system.

cweagans’s picture

cweagans
He/Him
Primary language English
Location Boise, ID, USA
CreditAttribution: cweagans commented

Sometimes doing it in code is just going to take too long esp when you have a major deadline,

This is exactly the mentality that leads to broken sites. Doing it in the UI may save you time up front, but it usually ends up in more time spent down the road de-crapifying the setup (for instance, wanting to do something more complex than what entering PHP through the UI will let you do).

In this case, you'd only be able to override markup with the context that's passed, which is what templates allow you to do.

So why should we do this when doing the same thing the correct way is like this:

1) Copy base template to theme folder
2) Change markup
3) Clear cache

This is not a difficult or time consuming process, and it certainly doesn't warrant allowing users to enter template code in the UI.

sdboyer’s picture

sdboyer CreditAttribution: sdboyer commented
Version: 8.x-dev » 9.x-dev
Status: Needs review » Needs work

we've discussed the possibility of writing Twig from the browser a fair bit, and while i'm not categorically opposed to the idea, my concern would be that the user has no insight into what variables are available for use in the template. without that information, the feature is incomplete.

more importantly, though, this is a feature, and the time for those is past. so, moving to 9.x.

gordon’s picture

gordon CreditAttribution: gordon commented
Status: Needs work » Needs review
FileSize
0002-Add-new-Twig-filter.patch2.48 KB

Updated version of the patch

jthorson’s picture

jthorson CreditAttribution: jthorson commented
Version: 9.x-dev » 8.x-dev

Retriggering patch.

jthorson’s picture

jthorson CreditAttribution: jthorson commented
Version: 8.x-dev » 9.x-dev
gordon’s picture

gordon CreditAttribution: gordon commented
FileSize
drupal9.filter-module.1996922-14.patch53 bytes

Updated Patch

gordon’s picture

gordon CreditAttribution: gordon commented
FileSize
drupal9.filter-module.1996922-14.patch2.5 KB

Missed the patch

catch’s picture

catch
he/him
Primary language English
CreditAttribution: catch commented
Version: 9.x-dev » 8.1.x-dev
Issue summary: View changes
joelpittet’s picture

joelpittet
Primary language English
Location Vancouver
CreditAttribution: joelpittet as a volunteer commented

Head's up I have this started in a sandbox and it may make it's way into twig module.

https://www.drupal.org/sandbox/joelpittet/2612292

mikeker’s picture

mikeker CreditAttribution: mikeker as a volunteer commented

@joelpittet's sandbox has made it into the Twig contrib module. See #2388441: Plans for Drupal 8.

Regarding the earlier discussion about code in the UI:

If you can write code, do it in a code editor and put it in the appropriate place in the filesystem. We absolutely should not make it easy to do it wrong.

That greatly depends on what you consider "code." Sure, PHP in the UI was a kludgy workaround with all sorts of problems. But we support (even encourage) content editors to write HTML in the node body field, and provide site builders the tools to limit that HTML so that editors don't break layouts or add XSS holes.

Twig provides a limited, sandboxed set of tools for generating HTML. There's no way to touch the DB. Yes, you can include business logic in your display but that's not a security issue, that's a site architecture decision.

Having a Twig text formatter (either in core or contrib, but I would prefer to see it in core) is just another way to allow editors to generate HTML while giving site builders the tools they need to limit that HTML.

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.0-beta1 was released on March 2, 2016, which means new developments and disruptive changes should now be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.0-beta1 was released on August 3, 2016, which means new developments and disruptive changes should now be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.0-alpha1 will be released the week of January 30, 2017, which means new developments and disruptive changes should now be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

joelpittet’s picture

joelpittet
Primary language English
Location Vancouver
CreditAttribution: joelpittet as a volunteer commented
Status: Needs review » Closed (won't fix)

This is in https://www.drupal.org/project/twig, likely not going to get into core, if the up take on that module is big, maybe it will get into core one day.