Template language for end users

Question

In my laravel app I want end users to be able to customize some email content and some page content.

So in my SaaS product they can customize the welcome email, or the page once someone joins the platform.

I am currently just providing them a few placeholders to use; ie

Hello $FirstName$,

and then in my code I simply do

$content = str_replace(['$FirstName$', '....'...

That why I know they are not going to add any php or anything. However, I need to do an if statement, and loop an object so I have hit the limits of my str_replace methods.

I can't use blade because that allows them to use <?php so they could then mess with the app.

Twig sounds like it could be a good fit.

So;

Users edit content and that is saved to the database.
I would pass a couple of objects which had values they can use
Safe and secure; not be able to call php / break out of the template
Loop and check things with IF statements.

Is there something like that?

Relevant question? http://stackoverflow.com/questions/12524712/templating-in-laravel — aug, Aug 01 '15 at 01:54
@SverriM.Olsen That is what I am currently doing, but I now want to do an if statement. — Wizzard, Aug 01 '15 at 01:58
@aug No, this is templates for the client to use in emails. They can customize them in the admin area. — Wizzard, Aug 01 '15 at 01:58
Ahh I see my bad. Can you elaborate more on the issue you have with looping through the object and checking with if statements? I'm still not sure what the issue with that is. — aug, Aug 01 '15 at 02:14
xTemplate, old but it's 1 file, it doens't have if's per say but it does have blocks that you have to `parse` which can be used as if or even a loop, at the core it uses explode on the blocks, I need to get my git hub setup on here.... I have a modified version that does if's and loops. Then there is this but it's still alpha https://github.com/ArtisiticPhoenix/Jet — ArtisticPhoenix, Aug 01 '15 at 02:18
@aug In the admin area of my app I have a textarea field where users can type in how they want the emails sent to them. They can currently use placeholders for things (ie $FirstName). But I need to let them do an if statement and a loop. Then, when the app needs to send the email it parses that text and sends the email. — Wizzard, Aug 01 '15 at 07:16
@Wizzard ~ here is xTemplate http://www.phpxtemplate.org/XTemplateDownloads, circa 2011 it's old but I works quite well. At the very least It might get you started on a custom solution, because I think using both Twig and Blade is a bit ( as you said ) overkill — ArtisticPhoenix, Aug 01 '15 at 20:06

score 0 · Answer 1 · answered Aug 01 '15 at 16:21

Yes, twig supports loading of untrusted templates with the sandbox extension.

The sandbox extension can be used to evaluate untrusted code. Access to unsafe attributes and methods is prohibited. The sandbox security is managed by a policy instance. By default, Twig comes with one policy class: Twig_Sandbox_SecurityPolicy. This class allows you to white-list some tags, filters, properties, and methods:
$tags = array('if');
$filters = array('upper');
$methods = array(
    'Article' => array('getTitle', 'getBody'),
);
$properties = array(
    'Article' => array('title', 'body'),
);
$functions = array('range');
$policy = new Twig_Sandbox_SecurityPolicy($tags, $filters, $methods, $properties, $functions);

You would then use it like this:

{% sandbox %}
    {% include 'user.html' %}
{% endsandbox %}

There is no way to execute raw PHP from twig templates by default, so your users would not be able to abuse the system too much. They could still potentially cause infinite loops, but no system that allows more than string replacement can prevent that.

Yea I think this is sounding like the way to go. Looking at the docs through how would you parse the template? There isn't a html file as such, it's going to be stored in the DB so need to parse the template as a string and return it. — Wizzard, Aug 01 '15 at 23:32

Template language for end users

1 Answers1