The most common critical vulnerability in websites is Cross-Site Scripting (XSS). It allows an attacker to insert a malicious script into a page that executes in the browser of an unsuspecting user. It can modify the page, obtain sensitive information or even steal the user's identity.
Templating systems fail to defend against XSS. Latte is the only system with an effective defense, thanks to context-sensitive escaping.
Anyone who wants a well-secured website uses Latte.
Quiz: Can you defend against XSS vulnerability?
Source: Acunetix Web Vulnerability Report
Example of automatic escaping of the $text
variable in several
different contexts (you can edit the top template):
{var $text = "O'Neill"} - in text: <span>{$text}</span> - in attribute: <span title={$text}></span> - in unquoted attribute: <span title={$text}></span> - in JavaScript: <script>var = {$text}</script>
- in text: <span>O'Neill</span> - in attribute: <span title='O'Neill'></span> - in unquoted attribute: <span title="O'Neill"></span> - in JavaScript: <script>var = "O'Neill"</script>
We're not kidding, you already know the Latte language. You already know how to write expressions in it. In fact, they are written exactly just like in PHP. So you don't have to think about how to write things in Latte. You don't have to look in the documentation. You don't have to learn another language. You just write like in PHP. More about Latte syntax
<ul>
{foreach $users as $user}
<li>{$user->name}</li>
{/foreach}
</ul>
{if $post->status === Status::Published}
Read post
{elseif count($posts) > 0}
See other posts
{/if}
{$product?->getDiscount()}
{$foo[0] + strlen($bar[Bar::Const])}
{array_filter($nums, fn($n) => $n < 100)}
Latte is based on PHP, whereas Twig is based on Python. A designer in Latte
doesn't have to constantly switch between two different conventions. For
example, between for person in people
in templates and
foreach $people as $person
in PHP. He doesn't even have to think
about where to use {% %}
and where to use {{ }}
,
because Latte has one {...}
delimiter.
Try the Twig to Latte tool.
<ul>
{foreach $foo->items as $item}
<li>{$item->name}</li>
{/foreach}
</ul>
<ul>
{% for item in foo.items %}
<li>{{ item.name }}</li>
{% endfor %}
</ul>
Users love this feature. We call it n:attributes. Any paired
tags, such as {if} ... {/if}
, wrapping an HTML element can be
written as its n:if
attribute. This makes for a very efficient
notation. Attributes can also have inner-
and tag-
prefixes, then the behavior applies to the inside of the element respectively
the opening and ending HTML tags. More about n-attributes
Using n:attributes:
<ul n:if="count($menu) > 1" class="menu">
<li n:foreach="$menu as $item">
<a n:tag-if="$item->href" href={$item->href}>
{$item->caption}
</a>
</li>
</ul>
And the Same Without Them:
{if count($menu) > 1}
<ul class="menu">
{foreach $menu as $item}
<li>
{if $item->href}<a href={$item->href}>{/if}
{$item->caption}
{if $item->href}</a>{/if}
</li>
{/foreach}
</ul>
{/if}
Latte has native support in NetBeans and an excellent plugin for PhpStorm that suggests tags, filters and PHP code.
Stay in touch. The plugin for Tracy informs you on each page which templates and which variables are being rendered.
Latte is a next generation templating system – it understands HTML. Where other systems see only a bunch of characters, Latte sees HTML elements. This is the reason why it has two amazing features like context-sensitive escaping and n:attributes.
How Blade, Twig and other systems see the template
░░░░░░░░░░░░░░░
░░░░░░
░░░░░░
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░@yield ('description')░
░░░░░░░
░░░░░░
░░░░░░░░░░░░░░░░░░░░░░░
@foreach ($navigation as $item)
░░░░░░░░░░░░{{$item->link}}░{{$item->title}}░░░░░░░
@endforeach
░░░░░
░░░░░░░░
░░░░░░░░░░░░{{ $appName }}░
░░░░░░░░░
░░░░░░░
░░░░░░░
How Latte sees the template
<!DOCTYPE html>
<html>
<head>
<title>It's all about context</title>
<meta name="description" content={include description}>
</head>
<body>
<ul class="navigation">
{foreach $navigation as $item}
<li><a href={$item->link}>{$item->title}</a></li>
{/foreach}
</ul>
<script>
var appName = {$appName};
</script>
</body>
</html>
Sophisticated template reuse and inheritance mechanisms increase your productivity because each template contains only its unique content, and repeated elements and structures are reused.
The Latte has an armoured bunker right under the hood. It's called sandbox mode, and it isolates templates from untrusted sources, such as those edited by users themselves. It gives them limited access to tags, filters, functions, methods, etc. How does it work?
Latte compiles template down to the optimal PHP code at the same time as you work. So it is as quick as if you created purely PHP. The compiled PHP code is clear and easy to debug. The template is automatically recompiled each time we change the source file.
We have been developing Latte for over 15 years- and counting! Libraries we provide are therefore highly mature, stable, and widely used. They are trusted by a number of global corporations and many significant websites rely on us. Who uses and trusts Latte?
Readers praise documentation for clarity and completeness. We wish you a pleasant reading.
Latte is open source and completely free to use.
How can you detect errors in templates in a timely manner? You have several methods at your disposal.