CODEWITHSUNDEEP
phpsymfonytwig
Matt Cavanagh
Matt Cavanagh

Reputation: 518

Symfony Twig - Allowing the use of Twig Globals in a HTML escaped element

I'm trying something rather experimental here, which I hope can be done.

I'm writing an application which has a CMS system built with it. I'm hoping that allowing the user to assign their own twig globals and use them within pages that they create.

For example, the user can create a variable called foo. In twig files you would reference this by using {{ foo }} since it's loaded into the global scope.

I would like to be able to use these global variables, however rendered within a |raw escaped element, such as a pages content.

So, currently to load a HTML element I have to use {{ page.content|raw }}. This unfortunately leads to the foo variable rendering out {{ foo }} as it's not being recognised to use it as a variable.

Is there any way of making {{ foo }} render out as the variable rather than literally?

Upvotes: 1

Views: 332

Answers (2)

Joe
Joe

Reputation: 3151

I would Be extremely careful with this, running any user input through the |raw filter could lead to XSS attacks. Also you may want to read this about template injection attacks. If you are permitting your users to write twig stuff you may be at risk.

https://www.blackhat.com/docs/us-15/materials/us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf

As for a solution to your question.

Maybe you could use includes

{% include 'AcmeYourBundle:User:PageOutput.html.twig' with {'userVars': UserVars} only %}

Where UserVars are the variables form your user. you could then do a 

{% for var in UserVars %}

in the template include.

Upvotes: 0

Carlos Granados
Carlos Granados

Reputation: 11351

Use the template_from_string twig function:

http://twig.sensiolabs.org/doc/functions/template_from_string.html

Upvotes: 1

Related Questions