146: Drupal 8's new theming layer – Joël Pittet and Scott Reeves

Fixed! The version originally posted on August 5, 2014, got cut short by technical difficulties in production. Here are the complete audio and video versions of that conversation for you!

Drupal 8 theming layer co-maintainers Joël Pittet and Scott Reeves sat down with me at NYC Camp 2014 at United Nations Headquarters in New York City to talk about how Twig and the new theming layer in Drupal 8 empowers front- and back-end developers, convergence and contribution in PHP, and more.

Twig: empowering developers

Scott explains, "A lot of the work I do in my day job is bridging the gap between the back end and the front end. Twig really helps us there because it brings more power to both. Front end people who don't want to learn PHP can look at something that looks a lot more like HTML, more like what they know. It's one less thing they need to learn; front end developers already have to know a lot: HTML, CSS, Javascript, and what all the different browsers do with these things. So it gives a lot more power to front end developers."

"It also gives some really cool power and toys to back end developers because Twig is very extensible. We've been very careful integrating Twig into Drupal to not do anything that would mess up people who already know Twig. We're adding a few Drupal-specific things to Twig, but that's about it. We're trying not to change the experience too much."

"A lot of people are skeptical when they come in and say, 'What if I need to do this in the template?' You still can. Twig gives us a nice separation of concerns: Your template should only have [arguably] display logic. Logic is fine to have in a template, but it should be display logic. Back end developers might say, 'Well, now I don't have access to all of my PHP functionality.' But there are still a number of tools. In Drupal, you still have the whole pre-process layer. If you need to prepare some variable or output to a template, you can still do that 100% in PHP. And there are a lot of cases where you might want to provide functionality to your front end developers and give them tools they can use day-to-day."

Front end security with Twig

"With Twig, no PHP scripts can be run in there," Joël elaborates on the fundamental security features built into Twig, "no database calls, you can't run scripts against the file system. Your templates are safer now because of that." The team has added another layer of security, mitigating XSS security holes by activating auto-escaping by default." "You could actually provide a template to your site-builder," or external themer, "and allow them to edit the template," since the templates prohibit many insecure practices by default, multi tenant hosting environments and Drupal shops contracting out theme work can be a little bit more relaxed about who can touch the theme layer of their projects.

Drupalist Dossier: Scott Reeves – Drupal 8 theme system co-maintainer. Dreditor co-maintainer.

Drupalist Dossier: Joël Pittet – Drupal 8 theme system maintainer