A Quick Look
// Familiar variable and List syntax. $colors = ['red', 'blue', 'green']; // New JSON-style syntax for Maps $colorHex = { red: '#FF0000', green: '#00FF00', blue: '#0000FF', }; // Built-in types have methods using // the mainstream 'dot' syntax. $colors.push('purple'); // Extra parens aren't needed. if $colors.length() > 3 { $colors.pop(); } // The standard library is organized // into modules. Response.sendPage({ title: 'Colors', body: bodyHtml($colors), }); // Template Functions let you organize // your output (views) however you like. // (e.g. by component, module, file, etc.) template bodyHtml($colors) { <h1>Colors</> <ul> -- foreach $colors as $c { <li>{{ $c.toUpperCaseFirst() }}</> -- } </> }
Read More: Syntax Cheat Sheet | Full Language Tour
THT Keeps the Good Parts of PHP
Despite its flaws, PHP has a few unique strengths that has made it one of the most popular languages in the world.
Key THT Features
||=
for default assignment.)Read More: How THT Compares to PHP
Web Framework Included
THT includes many tools that are useful for modern web development:
- Router for clean URLs (e.g. “/blog/123/top-ten-things”)
- Templates that support the full THT syntax
- Input validation and secure file uploads
- Stylesheet with reset styles, grid system & SVG icons
- Litemark parser for Markdown-style content
- JCON for human-friendly JSON-style configuration
- Session support with secure defaults & flash data
- Database module with CRUD methods & parameterized queries
- Cache module for performance tuning
Built-In Security
By default, THT defends against the most common security risks.
These safeguards are integrated into the language, providing better protection than if they were imported from a third-party library.
TypeStrings
TypeStrings are used to prevent injection attacks, which are considered the #1 security vulnerability on the internet.
They can not be mixed with (unsafe) regular strings. Dynamic values are inserted via placeholders.
// SQL Queries $q = sql'select name from users where id = {}'; $q.fill(123); // URLs $u = url'/users?sort={}'.fill('desc'); // System Commands $c = cmd'chmod {perms} {file}'; $c.fill('755', 'my_file.conf');
Other Safeguards
- User input (which should never be trusted) can only be accessed through validation methods, via the Input module.
- Template variables are automatically escaped.
- Response headers include CSP to prevent Cross-Site Scripting (XSS).
- Direct calls to high-risk PHP commands like
eval
are prohibited. - File functions are sandboxed to a data directory, and can’t be used with external (potentially dangerous) URLs.
Read More: All Security Enhancements
Performance
Out of the box, PHP is more than fast enough for most apps.
PHP 7 already offers major speed gains, but you can benefit even more by using an opcode cache like APC.
On a MacBook Pro, the core THT test suite (800 tests) finishes in 13 milliseconds.
It is also compact. The combined THT transpiler and runtime is only 180 KB (in comparison, Laravel is 16 MB).
THT also has built-in performance tools:
- The Perf Panel is an easy way to profile your overall page speed.
- The Cache module can help you minimize the biggest performance hits.
- Responses are automatically minified & GZIP compressed, reducing most page sizes by up to 70%.
How It Works
- Once you set up a THT app, your workflow is the same as with PHP. After you edit a file, just save and refresh.
- There are no build steps, background tasks, or server restarts to disrupt your flow.
- When you add or update a
.tht
file, it is automatically transpiled to PHP on the first request. Then it is cached for performance. - The transpiled code is compatible with PHP 7.1+.
- The transpiler itself is written in 100% PHP with no dependencies.
- Third-party PHP libraries can be accessed through the PHP Interface.
Give It a Try
THT is still in Beta, but if you’d like to try it out, it’s already suitable for most small-to-medium web apps.