What is a good dumbed-down, safe template system for PHP?

Question

(Summary: My users need to be able to edit the structure of their dynamically generated web pages without being able to do any damage.)

Greetings, ladies and gentlemen. I am currently working on a service where customers from a specific demographic can create a specific type of web site and fill it with their own content. The system is written in PHP.

Many of the users of this system wish to edit how their particular web site looks, or, more commonly, have a designer do it for them. Editing the CSS is fine and dandy, but sometimes that's not enough. Sometimes they want to shuffle the entire page structure around by editing the raw HTML of the dynamically created web pages.

The templating system used by WordPress is, as far as I can see, perfect for my use. Except for one thing which is critically important. In addition to being able to edit how comments are displayed or where the menu goes, someone editing a template can have that template execute arbitrary PHP code.

As the same codebase runs all these different sites, with all content in the same databse, allowing my users to run arbitrary code is clearly out of the question.

So what I need, is a dumbed-down, idiot-proof templating system where my users can edit most of the page structure on their own, pulling in the dynamic sections wherever, without being able to even echo 1+1;.

Observe the following psuedocode:

<!DOCTYPE html>
<title><!-- $title --></title>
<!-- header() -->
<!-- menu() -->
<div>Some random custom crap added by the user.</div>
<!-- page_content() -->

That's the degree of power I'd like to grant my users. They don't need to do their own loops or calculations or anything. Just include my variables and functions and leave the rest to me.

I'm sure I'm not the only person on the planet that needs something like this. Do you know of any ready-made templating systems I could use?

Thanks in advance for your reply.

Answer 1

Why don't you use Smarty?

http://www.smarty.net/

There is a security function with customisable settings designed for exactly what you need, editing via 3rd parties.

The other way you could do it is sanitize the input when they make changes to make sure they haven't included anything inappropriate

Answer 2

I'd recommend Twig.

http://www.twig-project.org/

Particularity it's sandbox mode.

Secure: Twig has a sandbox mode to evaluate untrusted template code. This allows Twig to be used as a templating language for applications where users may modify the template design.

As far as something that's as extremely simple as your example, why not just write a simple class to parse your templates? I don't think there's actually anything as super simple as you've requested being maintained and distributed as it's not very hard to write something up to do it.

Only other thing I can possibly think of is maybe mustache? Though I think it's PHP implementation is pretty early in development and I'm not sure how stable or usable it is at the moment.

http://github.com/bobthecow/mustache.php

Answer 3

http://dwoo.org/

Dwoo is a PHP5 Template Engine that was started in early 2008. The idea came from the fact that Smarty, a well known template engine, is getting older and older. It carries the weight of it's age, having old features that are inconsistent compared to newer ones, being written for PHP4 its Object Oriented aspect doesn't take advantage of PHP5's more advanced features in the area, etc. Hence Dwoo was born, hoping to provide a more up to date and stronger engine. So far it has proven to be faster than Smarty and it provides a compatibility layer to allow developers that have been using Smarty for years to switch their application over to Dwoo progressively.

Answer 4

What's the difference between <!-- $title --> and <!-- header() -->?
Why not to make it the same style and then just do <!-- $header --> simple str_replace?