Join Log in
Score:-1
José Luis avatar Drupal

Insert PHP snippets in content

in flag
José Luis

Drupal 9 doesn't have the PHP Filter module in core. I need to insert PHP snippets in the content editor (for example a Twig variable).

Is there any way to insert PHP snippets in Drupal content?

134
1 + 2
9
ru flag
Hudri
No you can't, this would be a *HUGE* security problem. Use [Token filter](https://www.drupal.org/project/token_filter) instead, this module allows stuff like `<p>This is content with [node:field_foo] as variable</p>`
3
Reply
Kevin avatar
in flag
Kevin
Do this with tokens. This is exceptionally bad practice.
0
Reply
Score:1
apaderno avatar Drupal
us flag
apaderno

The PHP Filter module has been removed from Drupal core because improperly using it would cause security issues. The security issues were mitigated from the fact that only users with the use PHP for settings permission could use the input filter, but that doesn't sanitize the code entered by editors. If then the permission were unconditionally given to every editor, it's like that permission didn't exist.

The Drupal core module is now available as PHP module, but I would not use it.

I would rather do what Hudri suggested, and use the Token Filter module. With that module, and adding its input filter to the input format used for nodes, a user could enter a token which would be replaced with its value. Instead of PHP snippets, I would implement custom tokens that are replaced by the value returned from the PHP code executed in hook_tokens(), one of the hooks necessary to modules that want to implement custom tokens.

function mymodule_token_info() {
  $type = [
    'name' => t('Custom tokens'),
    'description' => t('Custom tokens to use in the node body field.'),
  ];

  // Custom global tokens.
  $custom['custom01'] = [
    'name' => t("Custom 01"),
  ];
  $custom['custom02'] = [
    'name' => t("Custom 02"),
  ];

  return [
    'types' => [
      'custom' => $type,
    ],
    'tokens' => [
      'custom' => $custom,
    ],
  ];
}

function mymodule_tokens($type, $tokens, array $data, array $options, BubbleableMetadata $bubbleable_metadata) {
  $replacements = [];
  if ($type == 'custom') {
    foreach ($tokens as $name => $original) {
      if ($name == 'custom01') {
        $replacements[$original] = // Set the value of the custom01 token.
      }
      elseif ($name == 'custom02') {
        $replacements[$original] = // Set the value of the custom02 token.
      }
    }
  }
  return $replacements;
}

hook_tokens() could also return HTML markup used for the node body field. $bubbleable_metadata can be used to add cache dependencies.

This method is safer, as it doesn't allow users to enter arbitrary PHP code which, potentially, could also change the password for any user account, delete all the site content, or send users information to external sites.
Even if only trusted users were allowed to use the PHP input filter, there are always chances the entered code causes issues.

0 + 1
Alfred Armstrong avatar
cn flag
Alfred Armstrong
Yes even if you really, really, trust the users that have permission to insert PHP your site can be completely broken by a syntax error.
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.