15

I am creating a service in which I want to allow end-users to edit HTML templates for web pages that allows for access to specific "variables" for inclusion in the template.

I know that liquid was designed for this very purpose, is secure (at least relatively), and is in heavy production use. However, I find the language to be fairly complex for end-users as compared to something like Mustache.

Mustache sounds great, but I am concerned about security... has it ever been used for end-user templates?

Basically I am looking for a templating engine I can use w/ Rails for end-users that is:

  1. Secure - will not allow the execution of code by the user... at least not on the server. Users will be allowed to insert client-side javascript.
  2. Powerful - allows end-users to create pretty much any web page they can imagine using the supplied "variables" and within the context of #1
  3. Simple - the syntax is clear and easy for end-users to apply
  4. Bonus points if there is support for rendering the template syntax in javascript and other languages.

Liquid meets 1 & 2, but not 3-4. Mustache meets 2-4, but I'm not sure about #1 and that is non-negotiable.

Greatly appreciate any insights, experiences, or comments.

marcusmateus
  • 153
  • 1
  • 6

1 Answers1

5

Mustache is fantastic for interpolation and I can't imagine it ever exposing you to server-side vulnerabilities if you're using it for Javascript evaluation. It's the simplest, most powerful option. I don't know that non-programmers would understand it, but I'm sure it's simpler than Liquid.

Another option would be to use an existing simpler user markup set like BBcode or a rich-text editing library like TinyMCE. These are much reduced in functionality, but are easier to use for average people.

Winfield
  • 18,985
  • 3
  • 52
  • 65
  • 1
    I really need to have the rendering happen on the server side for two reasons: 1. Google and other search bots need to be able to index the fully rendered page w/ the "variables" already expanded 2. While having JS enabled is fairly prevalent now I don't want to make it a requirement of the application – marcusmateus Feb 27 '11 at 02:13
  • 5min?? @Winfield Need to clarify #1. Not worried about unescaped strings in the template, since I allow JS in templates.. it was raised as a concern in another forum. But, I really need to have the rendering happen on the server side for two reasons: 1. Google and other search bots need to be able to index the fully rendered page w/ the "variables" already expanded 2. While having JS enabled is fairly prevalent now I don't want to make it a requirement of the application I agree that BBcode / TinyMCE are simpler, but it using them would really take away from the power of the app (#2) – marcusmateus Feb 27 '11 at 02:25
  • As long as you're careful about the methods you expose in your view, I think Mustache will be secure and fit your needs nicely. The syntax is not horrible; it's probably as easy as you can get as far as a template engine goes. Check out [the demo](http://mustache.github.com/#demo) for an example. – Michelle Tilley Feb 27 '11 at 07:58
  • 3
    Winfield, I accepted your answer because I think it is essentially correct, the security risks to using Mustache appear to be minimal. Unfortunately, in my testing the flexibility allowed w/ using Mustache as an end-user templating engine was limited. As soon as I needed to, for example, display an element from only the first result, I could not find a Mustache syntax to allow that unless I provided logic on the server. However, switching to Liquid was quite easy and provided the end-user capabilities I have needed thus far... even if with a slightly less intuitive syntax. – marcusmateus Mar 20 '11 at 23:51