We have a multitennant CMS which currently runs on PHP. For the next version we're looking at moving to Node.js and looking at Handlebars as the view engine.
My understanding is that unless I add helpers, the templates are safe and can't manipulate or access global state. Is this understanding correct?
Aside from XSS, are there any other security issues to consider when allowing users to edit their own HBS templates?
Related
I'm retro engineering a couple of web apps to figure out which technologies are behind them so I can know which one I can use or learn to build my own web app
So, going through the app I can see that it's based on NodeJs and ExpressJS and luckily I know both of them.
But what I can't figure out is the template engine, there's a lot of template engines that are really friendly to Express(Jade, EJS, HandleBars, etc...)
So I was wondering if there is a way to know which template engine is used on a web site
Not normally. The whole point of a template engine is to replace special characters with user facing content so that precludes the type of hints one would need to determine the template engine. One would need to see the server side source code to really know.
Im am currently trying out different node.js templating engines, including dust.js
Is it feasible to store all layout and view content in a database instead of the file system? Is there any templating engine which would be a better fit for this case?
Ideally i would create an administration screen where i could edit all master layouts and views, without requiring any file copying.
Definitely feasible, you'll just be responsible for your own template compilation / hydration. Assuming you're using Express, the built-in view engine expects templates to be on the file system, so if you're not going to have them there you have three choices:
1) fork express to remove that check
2) pre-cache all your views in the view cache when the app starts up (so that it pulls them from the cache rather than looking at the file system)
3) ignore the view rendering Express provides and just compile your templates yourself.
Doing 3 seems like the most natural choice, but realize there's a reason Express caches compiled templates, so you may consider building your own template cache (and dealing with cache invalidation when stuff gets updated).
Actually, a 4th method which may or may not work better (untested) would be to use Express's default views rendering, but on app startup write all your view files to a virtual drive using them temp module (here)
I am building a website using nodejs and express. How to make divisions in a page dynamic? Is Jade used for that? if not how to do it?what is angularjs used for? Please help i searched a lot on google and i couldn't get a clarity in the usage of them.
Jade creates the html used in the browser on the server-side. The browser executes a request to the web-server, the web-server executes Jade, which will generate the html that will be sent to the browser. This server-side content generation has been very common in the last ~20 years, but it has quite some cons when building rich internet application. Mostly this has to do with performance and client state tracking.
AngularJS is a client-side MVC/MVVM like framework to build so called Single Page Applications (SPA), which allows you to have the complete user interface flow, all content generation and state tracking to be done at the client side. It even allows you to build offline applications. From the developer point of view this feels much more like building a desktop application where the client knows the state of the user interface. From the user point of the view the website will respond much smoother and snappier because the UI is all generated locally.
Note: SPA does not mean that you can only have one page in your website.
It's a technical term where the browser downloads one page (~/index.html), which contains the complete or partial web application. The user technically never leaves this page, but the content (pages) is dynamically swapped in and out from this placeholder page.
To most common way to provide data to a SPA is via RESTful web services. AngularJS comes with builtin support for REST.
Some developers combine server-side content generation techniques with AngularJS, but there's actually no real need for this.
Jade is used as a template engine on both server-side and client-side. Yes, it can update a page dynamically, you just have to compile your jade templates to a javascript functions (using jade -c or something similar).
Yes, you can use angular.js with it, but I see no real need to use two template engines in your project. Suggesting to just stick with jade, unless you know what are you doing.
Is it feasible to use Mustache templates (http://mustache.github.com) in a theme instead of the default Razor syntax?
As most frontend dev's we work with are on a Mac having to use Razor is creating a bottleneck in development, and I would prefer use a templating engine that can be rendered cross platform.
You can in principle use any view engine that is compatible with ASP.NET MVC, but you really shouldn't. You are going to fight with the system every step of the way. All of the themes and modules that you'll find (and you'll need them), as well as all the views in the core, are going to be using Razor. It's just a very, very bad idea.
You should try to find a CMS that uses Mustache natively as its default templating language, or learn Razor.
You can use it if you're willing to write some view engine services (what has some gotchas) and you can use multiple view engines side by side (i.e. you can keep the existing Razor templates and write your own templates in whatever you want).
The result won't necessarily be appealing but you can do it just as it was done for PHP.
Imagine a service that already has a full ecommerce catalog and purchasing etc back office with a RESTFUL API that developers can use to connect to remotely to create ecommerce websites from it. I have already built this. What I was hoping for is some advice in implementing a RESTFUL EJS service on top of this that would allow for a developer to specify an EJS template file via http resource URL and a typical catalog query in the same call such as:
http://mywebsite.ecommerceapi.com/catalogid/products?query=sunglasses&ejs=httpurl
The resulting service would then return the rendered EJS template (using caching etc for the query and EJS template). This would be primarily for SEO purposes and allowing the developers to create the same solution client-side in terms of templating as they do in server-side so it eases development in simplifying how client-side and server-side templates are done regardless of the technology used to setup the websites.
Your suggestions? I also have no problem with you saying "this is a bad idea" but please give reasons.