views:

32

answers:

2

I am looking to allow users to create templates to display their data, and these templates are to be rendered using JavaScript. I was wondering if it was possible to safely do this? I just need simple things like loops and if-else statements and of course accessing and printing values of variables in a given object.

Are there any template libraries that allow this, or easy methods for accomplishing this task?

A: 

Take a look at this question and answer: http://stackoverflow.com/questions/170168/jquery-templating-engines

David Radcliffe
I am looking for a safe approach to execute untrusted templates.
Stanislav
A: 

You can't run something safe in the browser.

What you can do is to sandbox potentially unsafe content in an IFRAME with a src slightly different from your main page. eg:

  • your page is on www.stanislav.com
  • and your iframe is on something like: sandbox.stanislav.com , www.stanislav.com:8080, ...

The IFRAME will not be able to access the parent page resources. That does not prevent XSS, but this is another issue you have to care anyway.

And if you look about a templating engine, have a look at PURE, it separates well HTML and JS.

You could then give the option to people build the HTML only of the templates and leave the JS code on your side. And if necessary, build a cleaning function to insure the HTML contains no JS.

Mic