This project is not covered by Drupal’s security advisory policy.
WARNING: DO NOT USE THIS MODULE
If you are considering downloading this module, there is probably a better way to solve whatever problem you are having. However, I believe in a free democracy that allows people to make their own choices.
Please learn how to use Twig properly:
- Twig in Drupal 8
- Twig Best Practices
- An Introduction to Twig in Drupal 8 Themes
- Filters - Modifying Variables In Twig Templates
- Extending Twig
This module allows you to execute PHP code from Twig templates.
There are various "permission levels" you can enable/disable:
php
- Execute any arbitrary PHP codephp_include
- Include a PHP filephp_require
- Require a PHP filephp_function
- Executes a PHP function
Access to the various PHP capabilities are controlled in the twig_php.settings
config storage.
You must enable each specific filter. Nothing will work by default.
You can enable/disable functionality using Drupal Console:
> drupal config:override twig_php.settings allow_function_execution 1
> drupal config:override twig_php.settings allow_function_execution 0
Various config options:
allow_function_execution - Allows you to execute any PHP function.
allow_require_file - Allows you to 'require' a file.
allow_include_file - Allows you to 'include' a file.
allow_php_execution - Allows you to execute arbitrary PHP code.
You can enable specific functions for the php_function
filter by setting the allowed_functions
config option:
> drupal config:edit twig_php.settings
allowed_functions:
- print_r
- var_dump
- var_export
- user_load
This would only allow print_r
, var_dump
, var_export
, and user_load
to be executed.
Example code:
<div class="the-most-unsafe-code-ever-created">
<ul>
<li>{{ "'This code has been executed';"|php }}</li>
<li>{{ "print 'This is working?';"|php }}</li>
<li>{{ "'Calculate:' . 2 + 7 * 18;"|php }}</li>
<li>{{ "\Drupal::service('date.formatter')->format(REQUEST_TIME, 'medium');"|php }}</li>
<li>
{{ "
class StupidIdea {
public static function render($string){
print $string;
}
}
return StupidIdea::render('gonna get all f**ked up.');
"|php(0) }}
</li>
<li>{{ 'robots.txt'|php_include }}</li>
<li>
{% set u = 'user_load'|php_function(1) %}
User 1 email: {{ u.getEmail() }}
</li>
</ul>
</div>
Project information
- Seeking new maintainer
The current maintainers are looking for new people to take ownership. - Maintenance fixes only
Considered feature-complete by its maintainers. - Module categories: Developer Tools
- 5 sites report using this module
- Created by donutdan4114 on , updated
- This project is not covered by the security advisory policy.
Use at your own risk! It may have publicly disclosed vulnerabilities.