down arrowMenu

UNI Webtools: Resources for Web Developers

Jonathan Brown: Generating safe markup in Drupal 8

Posted on Friday, September 19th, 2014 by Anonymous

The most insecure part of a Drupal website is typically the theme. Drupal 8 is using Twig as its template layer. This is a massive leap forward. It's no longer possible to put SQL queries in a template file!

Furthermore, Drupal 8 is now taking advantage of a security feature of Twig: autoescape. Every variable in a Twig template will be escaped if it is not marked as safe. This makes it much harder to introduce XSS vulnerabilities.

Jonathan Brown: Generating safe markup in Drupal 8

Posted on Friday, September 19th, 2014 by Anonymous

The most insecure part of a Drupal website is typically the theme. Drupal 8 is using Twig as its template layer. This is a massive leap forward. It's no longer possible to put SQL queries in a template file!

Furthermore, Drupal 8 is now taking advantage of a security feature of Twig: autoescape. Every variable in a Twig template will be escaped if it is not marked as safe. This makes it much harder to introduce XSS vulnerabilities.

Pages

Subscribe to UNI Webtools: Resources for Web Developers RSS