Level 50
Take a look at https://laravel.com/docs/5.3/blade#php
Jan 24, 2017
6
Level 1
Laravel Blade vs Twig
Hi guys,
first, let me say i like Laravel a lot. And also i like Blade.
BUT... i have a dilemma. we are planning to start a new 'larger-scale' project in a few months. We plan to create SaaS solution where users should be able to edit templates. The project should be supported for the next 5-10 years. So we need a long term solution. Now the problem with Blade is that you cannot sandbox it. So all users can place PHP code directly into the templates, that's a no-go. What options do we have?
Did authors of Laravel ever consider about adding Sandbox option to Blade? If we take a look at the Twig on the other side, it offers Sandbox mode.
TWIG: "Secure: Twig has a sandbox mode to evaluate untrusted template code. This allows Twig to be used as a template language for applications where users may modify the template design. In Twig, your template designer can’t easily take shortcuts. Eg. calling a query in your templates. They’ll have to pass the result to the view or allow access to a certain function..."
It seems like Twig would be perfect for the job where users must be allowed to edit their templates in the 'cloud' ?What do u guys think?
On the other hand, Symfony's official template engine is Twig. Should we just go with Symfony (which i am not very familiar with yet) or should we use the Twig Bridge module (its on the github)? I don't like the idea that TwigBridge module is maintained by one guy and if he decides to drop support for it, we have a problem. This won't happen with Symfony, since it is their official template engine.
What would u guys do?
best regards, Jim
Level 1
thank you very much for your reply Saeed, but i am not sure if you understood my question. I need the opposite of what you have suggested. I want to isolate the templates, make them secure, prevent any PHP code to be executed in the templates and even limit access to specific functions etc (this is what Twig allows you to do)
If we want to run SaaS (software as a service), then we can expect hundreds of users which will use our service and they will be able to edit the templates. If we would use Blade, then ANYONE can place any code they want to into the templates (even PHP and database calls!!) and basically access things they should never have access to. So this wouldn't work, right? Twig on the other hand ,allows you to 'sandbox' the templates, you can limit the access, therefore it is secure for a service where users must be able to change their templates.
Any idea guys, what would you do ,if you had this dilemma?
Best regards, Jim
Level 19
Hi @dinod,
I guess you answered yourself the question ;-)
- Do a test with https://github.com/rcrowe/TwigBridge and check the code to see how far your "technical debt" could be.
- Or extend the Blade behaviors and make it your own contribution to the community ;-)
Personally I would stay in Laravel since it has better tools out of the box and overall because you have a better knowledge. Using TwigBridge is not an issue but you would need to understand how Twig is wrapped into Laravel. Making your own fork and going from there would not be a bad idea if you feel better to have Twig.
That said, I will not say that your 10 years plan is bad but frankly I would stick to a plan that is more about getting version 1.0 up and running ASAP and up to a number of users that gives you a break even. In 10 years the software environment will have changed drastically.
Your software architecture and how you will manage the scale (argh I said the word...) is (or should be) pretty agnostic about any "tools" you use.
Your project sounds great. Keep going ;-)
Level 3
I do not like that I have to keep creating a new Twig extension for every php helper I create. On all my personal projects I stick to Blade, and for Viget's client projects we'll use Twig (Especially since we also use Craft.
Level 50
@dinod sorry, I misunderstood what you wanted to do... you could use PHP's strip_tags() to remove unwanted HTML/PHP tags.
Level 67
Could you store the user generated HTML in the db and just inject that into your blade view? Or are you wanting your users to be able to actually use blade syntax in their custom templates?
Please or to participate in this conversation.