-
Context: We recently launched a feature (#2207) that had to be commented out because it broke frontmatter variable substitution. Since {{ fm.title }} is not a valid variable from lodash's point of view, it would need to a Goal: Introduce direct variable replacement Design decisions: |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 1 reply
-
Would it be possible to pass the frontmatter variables to lodash as an |
Beta Was this translation helpful? Give feedback.
-
How about the ES2015 template delimiter?
I think we can start off by offering a suite of useful predefined values and only allowing them in literal string substitution. If we do allow js evaluation, is putting them behind workspace trust enough? Do we need to also add a way to completely disable this even within a trusted workspace? I am not sure if even that is enough. Personally I think disallowing it is the way to go as to not invite any adversaries / becoming a threat vector. Unfortunately my security knowledge just about ends there so I'm not sure about the detailed nuances about allowing this 😅 |
Beta Was this translation helpful? Give feedback.
-
Closing the loop here. As mentioned above, I'll resort to literal string substitution using default lodash delimiters for date substitution. I won't use lodash library as we won't need js evaluation. |
Beta Was this translation helpful? Give feedback.
How about the ES2015 template delimiter?
${}
I think we can start off by offering a suite of useful predefined values and only allowing them in literal string substitution.
If we do allow js evaluation, is putting them behind workspace trust enough? Do we need to also add a way to completely disable this even within a trusted workspace?
I am not sure if even that is enough. Personally I think disallowing it is the way to go as to not invite any adversaries / becoming a threat vector. Unfortunately my security knowledge just about ends there so I'm not sure about the…