Enough about Classes, Let's Talk Templates

View Slide

Jonathan Reinink
Software developer from Canada
Been writing PHP for about 15 years
Marketing agency for over a decade
Started contract development this year
Leadership group of The PHP League
Wrote the Plates template library
Wrote the Glide image library
I <3 open source

View Slide

Why do templates matter?

View Slide

Templates often account for
25-50% of your overall code base.

View Slide

Templates help separate your
controller and domain logic from
your presentation logic.

View Slide

View Slide

Templates are often developed
by both server-side developers,
and front-end developers.

View Slide

Templates are always
"spaghetti code".
Because contain more than one language in the same ﬁle.

View Slide

Bad template code
contributes to technical debt.

View Slide

Step 1: Choose the
right template library.

View Slide

People have very strong
opinions about templating.

View Slide

“This blog post is not for the faint-
hearted! Some people will strongly
disagree with me and some others
will probably want to kill me at the
upcoming Zend Conference.”
—Fabien Potencier

View Slide

“I'm not suggesting that native
PHP templates are better than
compiled templates (like Twig).”
—Me

View Slide

“oh... puts the pitchfork down”
—Friendly Reddit reader
“hides torch behind back…”
—Another friendly Reddit reader

View Slide

The native PHP vs compiled
templates debate.

View Slide

PHP is the oldest method
of templating in PHP.
(because PHP is a templating language)

View Slide

!
Hello, =$name?>
!

if ($stmt = $mysqli->prepare("SELECT name FROM friends")) {
$stmt->execute();
$stmt->bind_result($name);
!
while ($stmt->fetch()) {
echo ''.$name.'';
}
}
?>

View Slide

Important lesson:
If your templates contain SQL
code, you’re doing it wrong.

View Slide

While PHP has evolved into a
mature, object oriented language,
it hasn’t improved much as a
templating language.

View Slide

Compiled templates ﬁll this void
by offering a new syntax
speciﬁcally geared for templating.

View Slide

{% extends "template.html" %}
!
{% block title %}User Profile{% endblock %}
!
{% block content %}
User Profile
Hello, {{ name }}
{% endblock %}

View Slide

Since these compiled templates
must be compiled, there is a
slight performance hit.

View Slide

You can write good template
code with most modern
templating libraries.
Twig, Blade, Smarty, Moustache, Plates, Aura.View, Zend\View, etc…

View Slide

I recommend you use Twig.

View Slide

Choose a templating language
with an easy learning curve.
Easy for both server-side developers and front-end developers.

View Slide

Compiled languages offer very
simple, template oriented syntax.
{{ var }}

View Slide

No items found.

{% for item in items %}
{{ item }}
{% else %}
No items found.
{% endfor %}
Native PHP Twig

View Slide

But, native PHP templates
don’t have to be ugly.

View Slide

Always use the
short echo syntax.
=$user->name?>

View Slide

Never use blocks of PHP.
foreach ($users as $user) {
echo $user->name;
}
?>

=$user->name?>

View Slide

Only one statement per PHP tag.

=$user->name?>

=$user->name?>

View Slide

Never use curly brackets.

=$user->name?>

=$user->name?>

View Slide

Never using semicolons.
=$user->name?>

View Slide

layout('template', ['title' => 'User Profile']) ?>
!
Hello =$this->e($name)?>
!
Friends

=$this->e($friend->name)?>

!

Invitations
You have some friend invites!

View Slide

Avoid XML attribute based
templating languages.

View Slide

View Slide

Choose a templating language with
syntax highlighting and auto-
completion in your editor of choice.

View Slide

Always, always, always
escape unsafe data.

View Slide

Hello, =$name?>

View Slide

Hello, Jonathan

View Slide

Hello, Click here

View Slide

Hello, <a href="http://xssattack.com/
">Click here</a>gt;

View Slide

Hello, Click here

View Slide

Hello, =htmlspecialchars($name, ENT_QUOTES | ENT_SUBSTITUTE)?>

View Slide

Hello, =$this->escape($name)?>
Hello, =$this->e($name)?>
Hello, =e($name)?>

View Slide

1. HTML escaping
2. HTML attribute escaping
3. CSS escaping
4. JavaScript escaping
5. URL escaping
Be aware of the different types of escaping:

View Slide

If at all possible, use
automatic escaping!

View Slide

Hello, {{ name }}

View Slide

Without automatic escaping,
you MUST manually escape
every single variable.
And you will probably forget once in a while!!!

View Slide

It should also be VERY obvious
in your templates when you
are outputting raw data.

View Slide

Hello, {!! $name !!} Hello, {{ name|raw }}
Blade Twig

View Slide

Automatic escaping is NOT
possible in native PHP.

View Slide

=$this->name?>
Attempt 1: Object overloading

View Slide

class Template
{
protected $values;
!
public function __get($name)
{
return $this->escape(
$this->values[$name]
);
}
}

View Slide

Problem: How do you escape object
params and method calls?
=$this->user->name?>

View Slide

Attempt 2: Object
overloading with proxies

View Slide

class Template
{
protected $values;
!
{
return new TemplateProxy(
$this->values[$name]
);
}
}

View Slide

class TemplateProxy
{
protected $value;
!
{
return new TemplateProxy($this->name);
}
!
public function __call($name, $args)
{
return new TemplateProxy(...);
}
!
public function __toString()
{
return $this->escape($this->value);
}
}

View Slide


View Slide

Problems: double escaping, poor
performance, horrible error
debugging, collisions with
template methods, etc, etc.

View Slide

Attempt 3: Compiled
native php templates

View Slide

=$name?>
=$this->escape($name)?>
Pre-compilation:
Post-compilation:

View Slide

View Slide

Automatic escaping is NOT
possible in native PHP.

View Slide

Watch your whitespace, this
isn’t the Wild Wild West.

View Slide

Always use tabs, or always
use spaces, NEVER MIX.

View Slide

Watch your indenting.

View Slide

{% for item in items %}
{{ item }}
{% else %}
No items found.
{% endfor %}

View Slide

Use comments that only
appear in the template,
not the rendered markup.

View Slide

{# This is a Twig comment #}

View Slide

Your templates should
be very low on logic.

View Slide

Templates are not responsible
for data lookup, persistence or
other complex tasks.

View Slide

Anything outside of
conditionals, loops and basic
formatting is a code smell.

View Slide

Watch your
control structures.
Use:
if, for, foreach
Don’t use:
switch, while, do-while

View Slide

So what exactly is basic
formatting then?
• Date formatting
• Case changes
• String concatenation
• String trimming
• Number formatting
• URL encoding

View Slide

Consider using a logic-
less templating language.

View Slide

{{# users }}
{{ name }}
{{/ users }}

View Slide

namespace App\ViewModels;
!
class UsersViewModel
{
public function users()
{
return [
['name' => 'Jonathan'],
['name' => 'Amy'],
['name' => 'Joey'],
];
}
}

View Slide

Some template logic is
okay, but only if it’s
presentation logic.

View Slide

Avoid accessing the
global namespace.

View Slide

@if (Request::is('/'))
Home
@else
Home
@endif

View Slide

@if ($url === '/')
Home
@else
Home
@endif

View Slide

Preassign template data
instead of accessing
global variables.

View Slide

$templates->addData(['url' => $url], 'header');

View Slide

view()->composer('header', function ($view) {
$view->with('url', $url);
});

View Slide

$twig->addGlobal('url', $url);

View Slide

Use the dot notation
for variable resolution.
object.parameter
Access arrays, objects and methods the same way.

View Slide

{{ user.name }} = $user['name']
{{ user.name }} = $user->name
{{ user.name }} = $user->name()

View Slide

Templates should only know
about one instance variable.

View Slide

Rule #4: Controllers can instantiate only
one object. Therefore, views can only know
about one instance variable and views
should only send messages to that object.
— Sandi Metz, rules for developers

View Slide

Keep your templates
as short as possible.
Break templates into smaller, reusables pieces.

View Slide

insert('partials/header') ?>
!
Your page content.
!
insert('partials/footer') ?>

View Slide

insert('partials/header', ['title' => 'Home']) ?>
!
Your page content.
!
insert('partials/footer') ?>

View Slide

{% include 'partials/header.html' with {'title': 'Home'} %}
!
Your page content.
!
{% include 'partials/footer.html' %}

View Slide

Don't be afraid to repeat
(very) small pieces of code.

View Slide

'selected' ?> value="=$user->id?>">
=$user->name?>

View Slide

=$user->name?>

=$user->name?>

View Slide

Use inheritance for even better
organization of templates.

View Slide

template.html
{% extends "template.html" %}
!
{% block title %}Profile{% endblock %}
{% block content %}
Profile
Hello, {{ name }}
{% endblock %}
proﬁle.html

{% block title %}
Default title
{% endblock %}

!

{% block content %}
Default content
{% endblock %}

!

View Slide

Use a templating language
that you can extend.

View Slide

$templates->registerFunction('upper', function ($string) {
return strtoupper($string);
});
Hello =$this->upper($name)

View Slide

Blade::directive('datetime', function ($expression) {
return "format('m/d/Y H:i'); ?>";
});
@datetime($blog->publish_date)

View Slide

Use a template language
that’s easy to debug.

View Slide

that offers a sandbox mode.

View Slide

that performs well.
Hint: they basically all do.

View Slide

Automatic escaping is WAY more
important than the speed
advantage of native PHP templates.

View Slide

Follow me on Twitter at @reinink
Rate this talk joind.in/15753
Thanks!

View Slide

Enough about Classes, Let's Talk Templates

Enough about Classes, Let's Talk Templates

Jonathan Reinink

More Decks by Jonathan Reinink

Other Decks in Technology

Featured

Transcript