Since Louis factored out all HTML from qanda and added a configuration file to the templates, it's a small task to add a template engine, replace the PHP views with e.g. Twig templates.

Use case

• Template providers don't have to worry about core changes in the question view files
• Template providers can apply any CSS framework specific HTML they want, like Foundation, Bootstrap etc.
• User can show some question the way they want (with some html ability)
• User can show all questions as a table

Requirements

Must have

• Template files in template zip packages can override question view files
• Template zip package can upload template files in template editor
• Actual views used in public part must use the template engine

Should have

• Possible to edit Twig templates in template editor
• Use same tags as Backbone template engine (Twig can configure this)

Could have

• Include another file : the actual view use different files (see Talk)
• Add Twig filter to process EM

Will not have

• No additional templates will be added to the template engine (like token form)

Ways of working with Twig

Security

Longer article about template injection: http://blog.portswigger.net/2015/08/server-side-template-injection.html

The lowest risk approach is to simply use a trivial template engine such as Mustache

About CPU load: It wold be easy for a template designer to make a loop within a loop within a loop etc, to exhaust the CPU power of the server. This vulnerability is in all template engines where you can loop an array (Mustache, Twig). To protect against this, the server should have a max script runtime set.

BUT: Rendering PDF takes a long time, how to know the right limit?

Test instructions

How to write good bug reports and feature requests:

https://www.limesurvey.org/community-services/bug-tracker

https://www.limesurvey.org/community-services/feature-requests