Change record status: 
Introduced in branch: 

The theme engine PHPTemplate has been removed from Drupal, because the lack of support for autoescaping made it fundamentally insecure. Drupal will continue to support alternative theme engines, but only Twig will be included with core.

If you use an alternative theme engine, you will need to provide some means of escaping unsafe output or security vulnerabilities will result. This is handled in Drupal core by Twig's autoescape.

Let the Nyan Cat guide you on your way to Twig happiness.

Nyan Cat

Related change records

See Twig autoescape enabled and text sanitization APIs updated for a full list of related change records.

nyancat.gif28.3 KB
Site builders, administrators, editors
Module developers
Updates Done (doc team, etc.)
Online documentation: 
Not done
Theming guide: 
Not done
Module developer documentation: 
Not done
Examples project: 
Not done
Coder Review: 
Not done
Coder Upgrade: 
Not done
Other updates done