We’re in the middle of making a new e-commerce related PHP application and we have come to the point where we have started to think about how we should solve templating for our customers needs.
What we would like to do is offer our customers the possibility of uploading/modifying templates to suit their company:s profile. The initial thought is that we shall not reinvent the wheel, so instead letting our customers upload their templates with FTP, so there will be basic HTML skills required. For those customers that want to modify/customize template and doesnt have the knowledge, we offer that service as well.
I know that there’s a number of issues to solve before this could be considered safe, like preventing XSS and writing scripts that check through each uploaded file for potential security threats and so on. Of course, there are some part that probably will be to complex for the customer to modify by themselves, so maybe this approach won’t apply to >>all<< template files in the frontend application.
But besides that, what would be a good way to handle this?
You may find it helpful to take a look at the TinyButStrong templating engine. TBS differs from most other templating engines in that it doesn’t try to implement an additional scripting language inside the template, but uses a system of place-holders plus attributes which are cleanly separated from the HTML code between square brackets, such as
This makes the system extremely straightforward to use with WYSIWYG tools such as Dreamweaver, as it’s very easy for the designer to see where the PHP dependent code is in the template – basically ‘don’t touch anything inside the square brackets’
Although not quite in the same situation as yourself I’ve work on several projects where I’ve completed pages to be fully functional with a basic layout, then handed the HTML templates (+css) over to the designer who’s subsequently modified them for the final site. Because of the clear separation of code and place-holder variables that TBS offers there’s little to go astray with the approach. The lack of any template scripting language also means your security concerns are much more controlled.