Implementing direct variable replacement

[tma66]

Context: We recently launched a feature (#2207) that had to be commented out because it broke frontmatter variable substitution. Since {{ fm.title }} is not a valid variable from lodash's point of view, it would need to a ReferenceError
Feature: [[Support Custom Date Format When Applying Schema Template|dendron://private/task.2021.11.28.support-custom-date-format-when-applying-schema-template]]

Goal: Introduce direct variable replacement

Design decisions:
- What syntax should we adopt for this? eg. <%= %>
- Currently we use {{ }} for frontmatter substitution. This doesn't replace the contents of the note, but rather changes how it's displayed in the preview
- Should we use a different syntax for direct substitution (ie to replace note content)?
- Implementation wise, lodash supports js execution. should we support this as well?
- Additional feature that requires extra check (workspace trust)

[SeriousBug]

Would it be possible to pass the frontmatter variables to lodash as an fm variable and otherwise keep the existing implementation?

[kevinslin]

the issue is that we actually have two types of substitutions going on:

• the regular substitution using {{ }} today doesn't replace the contents in the notes but just how it shows up in the preview

It is {{CURRENT_DAY}}

• the substitution that we're introducing in schema templates actually replaces the string literal

It is 18

These are two different behaviors so we actually do want different symbols around them.

[hikchoi]

What syntax should we adopt for this?

How about the ES2015 template delimiter? ${}

Implementation wise, lodash supports js execution. should we support this as well?

I think we can start off by offering a suite of useful predefined values and only allowing them in literal string substitution.

If we do allow js evaluation, is putting them behind workspace trust enough? Do we need to also add a way to completely disable this even within a trusted workspace?

I am not sure if even that is enough. Personally I think disallowing it is the way to go as to not invite any adversaries / becoming a threat vector. Unfortunately my security knowledge just about ends there so I'm not sure about the detailed nuances about allowing this 😅

[tma66]

Closing the loop here. As mentioned above, I'll resort to literal string substitution using default lodash delimiters for date substitution. I won't use lodash library as we won't need js evaluation.