After you install Qiq via Composer ...
composer require qiq/qiq ^3.0
.. you can get started here.
The Github repository is at qiqphp/qiq.
Qiq is for developers who prefer native PHP templates, but with less verbosity. It offers:
<?php ?>
and {{ qiq }}
syntaxQiq is not for systems where the templates must be "secured" in some way against designers or content creators. For that, use something like Handlebars, Mustache, or Twig.
Qiq is plain old PHP, with a light dusting of syntax sugar when you want it.
For example, escaping in plain old PHP looks like this:
<?php echo htmlspecialchars(
$var,
ENT_QUOTES|ENT_DISALLOWED,
'utf-8'
) ?>
This is the same thing, using a Qiq helper for HTML escaping:
<?= $this->h($var) ?>
Finally, this is the same thing with the Qiq syntax sugar:
{{h $var }}
You can always mix plain PHP and Qiq in the same template. For example:
<?php $var = random_int(1, 99) ?>
{{h $var }}
Indeed, any unrecognized Qiq code is treated as PHP. For example, the following Qiq code ...
{{ $title = "Prefix: " . $title . " (Suffix)" }}
<title>{{h $title}}</title>
... is equivalent to this PHP code with Qiq helpers:
<?php $title = "Prefix: " . $title . " (Suffix)" ?>
<title><?= $this->h($title) ?></title>
This makes it easy to use Qiq with existing PHP templates, and allows for a smooth transition from PHP syntax to Qiq syntax as desired.
Qiq helpers are just methods on a Helper object. For example, to add a
<select>
HTML form element, you can use a helper to generate it for you in
Qiq ...
{{= select (
id: 'country-select',
name: 'Country',
value: 'usa',
placeholder: 'Please pick a country',
default: 'usa',
options: [
'usa' => 'United States',
'can' => 'Canada',
'mex' => 'Mexico',
],
) }}
... or in plain PHP:
<?= $this->select (
id: 'country-select',
name: 'Country',
value: 'usa',
placeholder: 'Please pick a country',
default: 'usa',
options: [
'usa' => 'United States',
'can' => 'Canada',
'mex' => 'Mexico',
],
) ?>
Read more about the general HTML helpers, the form helpers, or learn how to create your own custom helpers.
Qiq does not offer automatic escaping. By design, the {{ ... }}
tags do
not generate output. All output must be explicitly escaped for a specific
context, noted by the first character after the opening tag:
{{h ... }}
escapes for HTML content{{a ... }}
escapes for HTML attributes{{u ... }}
escapes for URLs{{c ... }}
escapes for CSS{{j ... }}
escapes for JavaScript{{= ... }}
is raw, unescaped outputThis is an intentional design choice for Qiq. Auto-escaping makes it easy to forget what context you should be escaping for. Explicitly marking the context means you always have to think about what you are doing; when it comes to security, that's a good thing.
Want to know more? Get started here!