<?php require_once 'SithTemplate.php'; $environ = new TemplateEnviron(); // All security settings are set using environment's setting array. // Some of them may be enforced at runtime, and some at compile time, // see TemplateEnviron::$settings documentation for reference. // The most common is variable autoescaping, which applies "escape" filter // to all stand-alone variables (i.e. {{ vars }}), unless they are marked // with "safe" pseudofilter. // Autoescaping is turned on with "autoEscape" boolean setting. $environ->settings['autoEscape'] = true; $environ->render('string://{{ var }}', array('var' => '<b>')); // will return "<b>" $environ->render('string://{{ var|safe }}', array('var' => '<b>')); // will return "<b>" // Next, there are I/O restriction settings. They allow you to enforce specific I/O driver, // e.g. when you load template using your own db:// driver, and you don't want loaded template // to use any other I/O driver, like file:// or string://. // Note that this is a bit primitive, and may be replaced sometime in the future. // I/O restrictions are turned on by "restrictIncludeIO" and "restrictExtendIO" boolean settings. $environ->settings['restrictIncludeIO'] = true; $environ->render('string://{% include "string://test" %}', array()); // will return "test" $environ->render('string://{% include "file://test.html" %}', array()); // will raise TemplateError // Next, there are {{ internal }} access restrictions (again, a bit primitive and boolean only). // Since {{ internal }} allows template to access global constants and superglobal arrays // (like $_SERVER or $_ENV), it may introduce security risk in sandboxed environment // (e.g. when templates are loaded from DB, and users can edit them). // {{ internal }} restrictions can be set by turning off "allowInternalRequest"
<?php require_once 'SithTemplate.php'; $environ = new TemplateEnviron(); // You should always remember about error handling // If error occurs during template compilation, exception message // may contain template file and approx. line of the mistake. // Errors are grouped - every group has it's own errorcode, specified // as class constants in TemplateError. try { $environ->render('string://{% bkock foo %}Typos are evil.{% endblock %}', array()); } catch (TemplateError $e) { echo $e->getMessage(); // Unknown tag ... echo $e->getCode(); // TemplateError::E_UNKNOWN_TAG }