back to blog

Why I Created a Module I Would Never Use

October 7th, 2015 by Daniel Pepin

“I am become death, the destroyer of worlds.” 
- J. Robert Oppenheimer, Creator of the Atomic Bomb

Some things are better left unmade. The Drupal 8 Twig PHP Filter module I just released is probably one of those things. If Bad Judgement had a working Drupal 8 release, I would have made it a dependency for this module.

What is Twig Anyway?

Twig is an awesome templating engine that is being included with Drupal 8 core. The Twig engine allows you to enjoy enhanced functionality (over basic HTML) without having to use PHP.

In Drupal 7, using the PHPTemplate engine, PHP code could be unsafely executed from inside template files... Yuck! The power behind Twig is its built-in safety measures to ensure you don't accidentally execute dangerous PHP code. In fact, a typical measurement for how well a Drupal site has been built is to check and see how much PHP code and logic is was slapped into template files and Views. There's good reason as to why the PHP Filter module was removed from Drupal core.

So, using Drupal 7, a standard PHPTemplate file you would see inline PHP code like:

<div><?php print $var; ?></div>

In Twig however, instead of using PHP to print variables, you have a special syntax:

<div>{{ var }}</div>

Twig PHP Filter

So what does the Twig PHP Filter module do? It throws Twig's safety precautions (and limitations) out the window. You can run code like:

<div class="unsafe-content">
  {{ 'my_php_function'|php_func(arg1) }}
  {{ '4 * 25 / 10'|php }}
  {{ 'my_script.php'|php_include }}

  {# Or my favorite... #}

  {% set u = 'user_load'|php_func(1) %} 
  User 1 email: {{ u.getMail() }}
</div>

Why should you never use this module? Well, because if you're a decent developer you shouldn't have to.

Twig allows you to create a safe environment to build HTML templates with some additional functionality, but not including executing arbitrary PHP code.

Drupal 8's theming engine allows you to modify variables and create your own Twig functions, so in theory, there should be no reason for a module like this to exist.

But...

I can't think of every use case that someone would need this module. I'm sure there's not many, but maybe... just maybe... there is a valid use case.

The module isn't as unsafe as I've drummed it up to be either. In fact, you can have it configured such that only specific functions can be run. Maybe you just need access to run one function in your template.

I dunno, I'm not you, I don't know why you need it. And the individual PHP filters that can be used in the template have to manually enabled through Drupal config, so your everyday "Joe Shmoe" site-builder won't be using it.

Why Even Make It?

There was no real world reason it needed to be built. It's not installed on any of our sites, it was just fun to build! It was a good learning experience seeing how you can make a custom module in D8, and how you could create your own Twig extensions. I also got to use some features of the powerful Drupal Console, which was also nice.

Also, as an American, I believe in certain freedoms and liberties that site maintainers should be able to architect their site in whatever ridiculous ways they want. That is our choice.

Personally, I choose to build things the "right way", which is why I would never, ever use this module.

 

Recommendations

Execute PHP code in your Twig templates.
We don't really recommend using this module.