Security considerations
When developing templates for your ShopWired store using Twig, it's essential to keep security in mind. Twig provides built-in features to help prevent common security vulnerabilities, but understanding how to use these features effectively is crucial for protecting your site and your customers.
Automatic escaping
Twig automatically escapes variables in templates to prevent Cross-Site Scripting (XSS) attacks. This means that by default, any data outputted in your templates is safely encoded, so malicious scripts can't be executed in the browser.
<p>{{ global.customer.first_name }}</p>
In this example, if global.customer.first_name contains any HTML or JavaScript, it will be automatically escaped, and special characters like < and > will be converted to HTML entities, rendering them harmless.
However, if you need to output raw HTML, you can use the |raw filter. Be cautious with this, as it disables automatic escaping and can introduce vulnerabilities if used with untrusted data.
<p>{{ product.description|raw }}</p>
Use the |raw filter only when you are absolutely certain the content is safe and comes from a trusted source.
Avoid using `|raw` with user input
It's critical to avoid using the |raw filter on any data that comes directly from user input or external sources, as this can expose your site to XSS attacks. Instead, rely on Twig's automatic escaping to ensure that user input is handled safely.
<p>{{ form_input.value }}</p> {# Safe #}
<p>{{ form_input.value|raw }}</p> {# Dangerous if form_input.value contains malicious content #}
Validating user input
While Twig handles output escaping, you should also ensure that any user input is properly validated and sanitised before it reaches your templates. This is especially important for forms and any data that users can submit or manipulate.
{% if user.email is not empty and user.email matches('/^[^@\\s]+@[^@\\s]+\\.[^@\\s]+$/') %}
<p>Email: {{ global.customer.email }}</p>
{% else %}
<p>Invalid email address.</p>
{% endif %}
This example checks if the email format is valid before displaying it, helping to prevent invalid or malicious data from being outputted.
Using CSRF protection
Cross-Site Request Forgery (CSRF) is a type of attack where a malicious website tricks users into performing actions they did not intend to on your website. To prevent CSRF attacks, ensure that all forms include a CSRF token, which Twig can generate and verify.
ShopWired automatically includes CSRF tokens in some forms but is not enabled on all forms by default. To request this, contact support.
Avoid including untrusted templates
Twig allows you to include other templates using the include function. However, be cautious about including templates from untrusted sources, as they may contain malicious code.
{% include 'trusted_template.twig' %}
Always ensure that the templates you include are from trusted sources or are properly validated before being used in your application.
Controlling access to data
Ensure that sensitive data, such as user passwords, API keys, or personal information, is never directly exposed in your Twig templates. Only pass the necessary data to your templates and avoid making sensitive information accessible in the frontend.
{% set user_password = null %} {# Do not pass or display sensitive data #}
By controlling the data passed to your templates, you can minimise the risk of inadvertently exposing sensitive information.
