Qiq Templates for PHP 8

Qiq is easy. Qiq is clean. Qiq is PHP.

Installation

After you install Qiq via Composer ...

composer require qiq/qiq ^3.0

.. you can get started here.

The Github repository is at qiqphp/qiq.

Why Use Qiq?

Qiq is for developers who prefer native PHP templates, but with less verbosity. It offers:

Qiq is not for systems where the templates must be "secured" in some way against designers or content creators. For that, use something like Handlebars, Mustache, or Twig.

What Are Qiq Templates?

Qiq is plain old PHP, with a light dusting of syntax sugar when you want it.

For example, escaping in plain old PHP looks like this:

<?php echo htmlspecialchars(
    $var,
    ENT_QUOTES|ENT_DISALLOWED,
    'utf-8'
) ?>

This is the same thing, using a Qiq helper for HTML escaping:

<?= $this->h($var) ?>

Finally, this is the same thing with the Qiq syntax sugar:

{{h $var }}

You can always mix plain PHP and Qiq in the same template. For example:

<?php $var = random_int(1, 99) ?>
{{h $var }}

Indeed, any unrecognized Qiq code is treated as PHP. For example, the following Qiq code ...

{{ $title = "Prefix: " . $title . " (Suffix)" }}
<title>{{h $title}}</title>

... is equivalent to this PHP code with Qiq helpers:

<?php $title = "Prefix: " . $title . " (Suffix)" ?>
<title><?= $this->h($title) ?></title>

This makes it easy to use Qiq with existing PHP templates, and allows for a smooth transition from PHP syntax to Qiq syntax as desired.

What Are Qiq Helpers?

Qiq helpers are just methods on a Helper object. For example, to add a <select> HTML form element, you can use a helper to generate it for you in Qiq ...

{{= select (
    id: 'country-select',
    name: 'Country',
    value: 'usa',
    placeholder: 'Please pick a country',
    default: 'usa',
    options: [
        'usa' => 'United States',
        'can' => 'Canada',
        'mex' => 'Mexico',
    ],
) }}

... or in plain PHP:

<?= $this->select (
    id: 'country-select',
    name: 'Country',
    value: 'usa',
    placeholder: 'Please pick a country',
    default: 'usa',
    options: [
        'usa' => 'United States',
        'can' => 'Canada',
        'mex' => 'Mexico',
    ],
) ?>

Read more about the general HTML helpers, the form helpers, or learn how to create your own custom helpers.

Why Explicit Escaping?

Qiq does not offer automatic escaping. By design, the {{ ... }} tags do not generate output. All output must be explicitly escaped for a specific context, noted by the first character after the opening tag:

  • {{h ... }} escapes for HTML content
  • {{a ... }} escapes for HTML attributes
  • {{u ... }} escapes for URLs
  • {{c ... }} escapes for CSS
  • {{j ... }} escapes for JavaScript
  • {{= ... }} is raw, unescaped output

This is an intentional design choice for Qiq. Auto-escaping makes it easy to forget what context you should be escaping for. Explicitly marking the context means you always have to think about what you are doing; when it comes to security, that's a good thing.


Want to know more? Get started here!