Added constant support to context #131

wants to merge 1 commit into


None yet
2 participants

Hi, I was searching a way to not everytime pass a config data to my templates (basehref example). Hope constant support can help someone


bobthecow commented Jan 14, 2013

This introduces a lot of things you might not have anticipated...

{{ _POST }}, {{ _SERVER }}, {{ _SESSION }}, {{ _COOKIE }} and other superglobals probably shouldn't be exposed as globals in your templating language.

Exposing magic constants (__DIR__, __METHOD__, etc) would be unexpected and strange, but most likely not a vulnerability. I haven't looked at all of 'em, but there are a bajillion more predefined constants... or at least thousands.

Even worse: in many apps and environments, authentication data for third-party APIs and services is set as environment variables, so exposing {{ _ENV }} would be particularly disastrous.

A better approach than blindly allowing all constants would be to pass in explicitly whitelisted values which you wish to make available. You could register a "helper" full of them while instantiating your Mustache instance if you want to have them available to all templates:

$m = new Mustache_Engine;
$m->addHelper('config', array(
    'domain'    => '',
    'base_href' => '',
    'site_name' => MY_SITE_NAME_CONSTANT,
    // ...

$m->render('<a href="{{ config.base_href }}">{{ config.site_name }}</a>');

Yep you're right I haven't thought about it

@dkraczkowski dkraczkowski deleted the dkraczkowski:patch-1 branch Jan 14, 2013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment