This project is not covered by Drupal’s security advisory policy.


If you are considering downloading this module, there is probably a better way to solve whatever problem you are having. However, I believe in a free democracy that allows people to make their own choices.

Please learn how to use Twig properly:

This module allows you to execute PHP code from Twig templates.
There are various "permission levels" you can enable/disable:

  • php - Execute any arbitrary PHP code
  • php_include - Include a PHP file
  • php_require - Require a PHP file
  • php_function - Executes a PHP function

Access to the various PHP capabilities are controlled in the twig_php.settings config storage.
You must enable each specific filter. Nothing will work by default.

You can enable/disable functionality using Drupal Console:

> drupal config:override twig_php.settings allow_function_execution 1
> drupal config:override twig_php.settings allow_function_execution 0

Various config options:

allow_function_execution - Allows you to execute any PHP function.
allow_require_file - Allows you to 'require' a file.
allow_include_file - Allows you to 'include' a file.
allow_php_execution - Allows you to execute arbitrary PHP code.

You can enable specific functions for the php_function filter by setting the allowed_functions config option:

> drupal config:edit twig_php.settings
  - print_r
  - var_dump
  - var_export
  - user_load

This would only allow print_r, var_dump, var_export, and user_load to be executed.

Example code:

<div class="the-most-unsafe-code-ever-created">
        <li>{{ "'This code has been executed';"|php }}</li>
        <li>{{ "print 'This is working?';"|php }}</li>
        <li>{{ "'Calculate:' . 2 + 7 * 18;"|php }}</li>
        <li>{{ "\Drupal::service('date.formatter')->format(REQUEST_TIME, 'medium');"|php }}</li>
            {{ "
            class StupidIdea {
                public static function render($string){
                  print $string;
            return StupidIdea::render('gonna get all f**ked up.');
            "|php(0) }}
        <li>{{ 'robots.txt'|php_include }}</li>
            {% set u = 'user_load'|php_function(1) %}
            User 1 email: {{ u.getEmail() }}

Project information