Skip to content


Subversion checkout URL

You can clone with
Download ZIP


strict mode #12

schuyler1d opened this Issue · 8 comments

5 participants


right now templates can include raw javascript. There should be a mode (if not the default) which only allows variables, calls, and (in)equality expressions.
i.e. this should be IMPOSSIBLE:
{{= (get_Val() ? 3*4/this : window.location='' }}
This kind of strict approach is essential if the implementation can be written cross-language, and force the separation of template and code.

This issue was brought up in the original announcement:
where the author gives an example of a way to implement this:


I believe nested data access should be permitted as well, e.g.: a.b.c, but not a.b().c.


See also
Better error handling options


In the draft spec, , if you wish to restrict substitutions you can implement a verifier pass that rejects any "=" node that has content that does not fall in some subset of member expressions. See plugin compiler passes in section 9.

Be aware though that you cannot rely on control not escaping just because there is no explicit function call. Implicit valueOf, toString can cause control to escape, (new Image).src="javascript:...", and getters/setters can all cause non-obvious side-effects.


what are the possibilities of including a verifier in core? As default?
I can write the verifier, if a patch would be accepted.


Thanks for taking the time to submit this issue. Just wanted to let you know this plugin is no longer being actively developed or maintained by the jQuery team. See README for more info.


thanks. It was a good goal--jquery would have benefited from a single templating engine--but there seems to be contradicting usecases in JS world to truly consolidate. Long live handlebars.js?

@schuyler1d schuyler1d closed this

jQuery can still have and benefit from a single template engine, it will just be maintained by the jQuery UI team. The previous version wasn't developed with them as stakeholders and so had different design goals. For this reason, the design and development was started afresh, rather than continuing in this project.

Surely there will always be plenty of choices when it comes to templating engines. jQuery UI will provide an interface that will support using your own favorite template engine, but will only fully support the one it ships. This is an example of a goal that wasn't initially part of the jquery-tmpl project.


For the codeless (strict) approach, see also the ongoing work on JsRender. Take a look at this post for more context.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.