Security for template files in ProcessWire

While ProcessWire handles a lot of the common security considerations before your template files are even loaded, you should also follow security best practices within your template files as you would in any other PHP framework.

Your ProcessWire installation is only as secure as your template files. ProcessWire template files are PHP files, and anything that is possible in PHP is also possible in your template files.

If your template files deal with any kind of user input, they must sanitize and validate any user input. Never send any kind of user input directly to ProcessWire's API methods (other than those provided by $sanitizer) without first sanitizing it, and validating it where appropriate.

For example, here is something you don't want to do. This code block is sending the GET variable $text directly to a $pages->find() call, without sanitizing the value or even confirming that it was present:

// do not do this
$text = $input->get('text');
$items = $pages->find("body%=$text"); 

Here is the same example as above, but with sanitization (for use in a selector string) and confirmation that the value is present before attempting to use it:

$text = $sanitizer->selectorValue($input->get('text'));
if($text) {
  $items = $pages->find("body%=$text");
}

This is only a single ProcessWire-specific example, but the scope of PHP best practices for handling user input is outside the scope of this document. When in doubt, ask in our forums. If dealing with user input, get familiar with ProcessWire's built-in $sanitizer as well as general PHP data filtering and sanitization and other PHP security best practices, as your project scope and needs dictate.

Twitter updates

  • ProcessWire 3.0.153 (dev) focuses on comments field updates, significant refactoring/improvements to ProcessWire’s core Template class and PagesLoader class (which is used by the pages API variable), and we introduce a useful new pages API method— More
    20 March 2020
  • ProcessWire 3.0.152 core updates— This week we have some major improvements to our core date/time Inputfield, as well as a new ability to specify your own custom classes for Page objects— More
    6 March 2020
  • This week we’ve got a couple of really useful API-side improvements to the core in 3.0.151, including predefined image settings and static language translation improvements— More
    21 February 2020

Latest news

  • ProcessWire Weekly #307
    In the 307th issue of ProcessWire Weekly we're going to check out the latest dev branch updates, introduce some new third party modules, and more. Read on!
    Weekly.pw / 28 March 2020
  • ProcessWire 3.0.153 core updates
    This latest version of the core on the dev branch focuses on comments field updates, significant refactoring/improvements to ProcessWire’s core Template class and PagesLoader class (which is used by the $pages API variable), and we introduce a useful new $pages API method.
    Blog / 20 March 2020
  • Subscribe to weekly ProcessWire news

“We chose ProcessWire because of its excellent architecture, modular extensibility and the internal API. The CMS offers the necessary flexibility and performance for such a complex website like superbude.de. ProcessWire offers options that are only available for larger systems, such as Drupal, and allows a much slimmer development process.” —xport communication GmbH