Why Use Templates?

Why should I use a templating system in PHP?

Why use a template system in PHP when PHP itself is a templating language?

Let's first briefly recap the history of this language, which is full of interesting twists and turns. One of the first programming languages used for generating HTML pages was the C language. However, it soon became apparent that using it for this purpose was impractical. Rasmus Lerdorf thus created PHP, which facilitated the generation of dynamic HTML with the C language on the backend. PHP was originally designed as a templating language, but over time it acquired additional features and became a fully-fledged programming language.

Nevertheless, it still functions as a templating language. A PHP file can contain an HTML page, in which variables are output using <?= $foo ?>, etc.

Early in PHP's history, the Smarty template system was created, with the purpose of strictly separating the appearance (HTML/CSS) from the application logic. It deliberately provided a more limited language than PHP itself, so that, for example, a developer could not make a database query from a template, etc. On the other hand, it represented an additional dependency in projects, increased their complexity, and required programmers to learn a new Smarty language. Such benefits were controversial, and plain PHP continued to be used for templates.

Over time, template systems began to become useful. They introduced concepts such as inheritance, sandbox mode, and a range of other features that significantly simplified template creation compared to pure PHP. The topic of security, the existence of vulnerabilities like XSS, and the need for escaping came to the forefront. Template systems introduced auto-escaping to eliminate the risk of a programmer forgetting it and creating a serious security hole (we'll see shortly that this has certain pitfalls).

Today, the benefits of template systems far outweigh the costs associated with their deployment. Therefore, it makes sense to use them.

Why is Latte better than Twig or Blade?

There are several reasons – some are pleasant and others are immensely useful. Latte is a combination of pleasant and useful.

First, the pleasant: Latte has the same syntax as PHP. The only difference is in the notation of tags, preferring shorter { and } instead of <?= and ?>. This means that you don't have to learn a new language. Training costs are minimal. Most importantly, during development, you don't have to constantly “switch” between the PHP language and the template language, since they are both the same. This is unlike Twig templates, which use the Python language, forcing the programmer to switch between two different languages.

Now for the immensely useful reason: All template systems, like Twig, Blade, or Smarty, have evolved to include protection against XSS in the form of automatic escaping. More precisely, the automatic calling of the htmlspecialchars() function. However, the creators of Latte realized that this is not the right solution at all. This is because different parts of the document require different escaping methods. Naive auto-escaping is a dangerous feature because it creates a false sense of security.

For auto-escaping to be functional and reliable, it must recognize where in the document the data is being output (we call these contexts) and choose the escaping function accordingly. Therefore, it must be context-sensitive. And this is what Latte can do. It understands HTML. It doesn't perceive the template as just a string of characters but understands what tags, attributes, etc., are. Therefore, it escapes differently in HTML text, within HTML tags, inside JavaScript, etc.

Latte is the first and only PHP template system with context-sensitive escaping. It represents the only truly secure template system.

And another pleasant reason: Because Latte understands HTML, it offers other very pleasant features. For example, n:attributes. Or the ability to check links. And many more.

What is escaping?

Escaping is a process that involves replacing characters with special meanings with corresponding sequences when inserting one string into another to prevent unwanted effects or errors. For example, when inserting a string into HTML text, in which the character < has a special meaning because it indicates the beginning of a tag, we replace it with the corresponding sequence, which is the HTML entity &lt;. This allows the browser to correctly display < symbol.

A simple example of escaping directly when writing PHP code is inserting a quotation mark into a string by placing a backslash in front of it.

We discuss escaping in more detail in the chapter How to defend against XSS.

Can a database query be executed from a Latte template?

In templates, you can work with objects that the programmer passes to them. If the programmer wants to, they can pass a database object to the template and perform a query. If they intend to do so, there is no reason to prevent them.

A different situation arises if you want to give clients or external coders the ability to edit templates. In this case, you definitely don't want them to have access to the database. Of course, you won't pass the database object to the template, but what if it can be accessed through another object? The solution is the sandbox mode, which allows you to define which methods can be called in templates. Thanks to this, you don't have to worry about security breaches.

What are the main differences between templating systems like Latte, Twig, and Blade?

The differences between templating systems like Latte, Twig, and Blade mainly lie in their syntax, security, and integration with frameworks:

  • Latte: uses PHP language syntax, making it easier to learn and use. It provides top-notch protection against XSS attacks.
  • Twig: uses Python-like syntax, which is quite different from PHP. It escapes without context distinction. It is well integrated with the Symfony framework.
  • Blade: uses a mix of PHP and custom syntax. It escapes without context distinction. It is tightly integrated with Laravel features and ecosystem.

Is it worth it for companies to use a templating system?

Firstly, the costs associated with training, usage, and overall benefits vary significantly depending on the system. The Latte templating system, thanks to its use of PHP syntax, greatly simplifies learning for programmers already familiar with this language. It usually takes a few hours for a programmer to become sufficiently acquainted with Latte, reducing training costs and accelerating the adoption of technology and, most importantly, efficiency in daily use.

Additionally, Latte provides a high level of protection against XSS vulnerability thanks to its unique context-aware escaping technology. This protection is crucial for ensuring web application security and minimizing the risk of attacks that could endanger users or company data. Web application security is also important for maintaining a company's good reputation. Security issues can lead to loss of trust from customers and damage the company's reputation in the market.

Using Latte also reduces overall development and maintenance costs by making both easier. Therefore, using a templating system is definitely worth it.

Does Latte affect the performance of web applications?

Although Latte templates are processed quickly, this aspect does not really matter. The reason is that parsing files occurs only once during the first display. They are then compiled into PHP code, stored on disk, and run on every subsequent request without requiring recompilation.

This is how it works in a production environment. During development, Latte templates are recompiled every time their content changes, so the developer always sees the current version.

version: 3.0