Disable partials? #263
Comments
|
A hack is to extend class SafeMustache < Mustache
def partial(*args)
''
end
end
SafeMustache.render('{{> foo}}') # => '' |
|
Following up, is this the best way to harden the renderer? I want to allow variables expansion only. Any helpful configuration parameter available? |
|
I remember there was a "safe mustache" a while back, though I've never used it: https://github.com/thelucid/tache |
|
Thank you for the reference. But has not received commits in seven years. Is so uncommon to look for a stripped down, safe templating system to accept user generated templates? |
|
I mean
|
|
Latest official release. Don’t get it, sorry. |
|
The latest release of Tache was December 2015. The latest release of Mustache (this project) was June 2015 🙂 |
|
Ah. Yes. I believe github release feature is not used by many. Official release in this case is a release by tag https://rubygems.org/gems/mustache |
|
Oh gotcha. That's a bit better. |
|
Could you explain why Spotify Liquid, expanding on Mustache’s footsteps, is self-described as safe to use with user generated templates? If allows any numbers of functions to execute on backend logic. And Mustache itself scares with “If there is no name key, the parent contexts will be checked recursively”. What is safe to use with just variables? |
|
Solution to this problem are GNU Recutils: performs keywords replacement without regard of regex or shell expansion characters (& . - * / \ $ etc.). The most a user can add are selection expressions within templates. Themselves a powerful option. Also they are very fast. Unfortunately no Ruby wrapper gem is available yet. So you will need to call out for shell execution. |
Is there a way to disable partial rendering? If not, can I request it?
I'd like to use mustache to render a template entered by a user. In order to do this safely, I need partials disable to that users can't access any data off of disk.
The text was updated successfully, but these errors were encountered: