1

I want to make the marko template editable by clients. I know that user can add scripts, and XSS issue. The question is about server side.

If I run marko template from nodejs, and the template came from one user. Is it possible that the template will eval malicious code on the server?

In other words: How can I prevet the user from doing something like that:

<if test="require('readFileSync').deleteAllMyFile...">
   Hi
</if>
Aminadav Glickshtein
  • 23,232
  • 12
  • 77
  • 117
  • 1
    If you execute your template server-side then yes, if you only compile it into precompiled code then I would guess that it might not be a problem, but I would still assume that it is a security problem. – t.niese Dec 28 '15 at 16:05

1 Answers1

2

Marko allows arbitrary JavaScript code inside templates by design (for performance reasons). For now, that makes compiled Marko templates not suitable for use in situations where templates are not trusted. However, since this has come up a few times, we are exploring the option of making compiled templates safe by loading them in a sandbox. You can follow that discussion as part of the following Github issue: https://github.com/marko-js/marko/issues/192

Patrick Steele-Idem
  • 457
  • 2
  • 5