Is opening a templating engine to users a bad idea?

Question

My site allows users to create custom HTML templates for their profiles (very much like Tumblr and the theme system), and I picked the Twig template engine for the site.

However, I'm not sure if it's a good idea to give users the control of being able to access a template engine.

Is this a bad thing? How should I restrict access, or should I just totally rethink the strategy?

Answer 1

From the Twig homepage:

Secure: Twig has a sandbox mode to evaluate untrusted template code. This allows Twig to be used as a template language for applications where users may modify the template design.

and farther down:

Sandboxing: Twig can evaluate any template in a sandbox environment where the user has access to a limited set of tags, filters, and object methods defined by the developer. Sandboxing can be enabled globally or locally for just some templates:

 {{ include('page.html', sandboxed = true) }}

So, all you have to do is sandbox the user templates and you should be fine