inline markup / templating engine for customer facing CMS

Question

There are many hosted CMS applications that provide you with some sort of inline markup/ templating engine that lets you output things into a page.

for example, a hosted cms application lets you edit your templates to custome html/css, but they also let you do some basic inline code on the page to do this like inject the article title, date, etc. (object properties) and let you loop through predefined collections.

How do they do this?

How do they prevent the user from accessing other objects which you don't want them to?

e.g. Imaine them outputing your connection string! lol

here is an example: http://wiki.shopify.com/UsingLiquid

Answer 1

Typically the safest way is to create a self-contained scripting language - a runtime within the runtime that has a very limited scope of builtin objects populated by the host runtime, and none of which are dangerous. Obviously a script executing in a runtime cannot reach up outside it's own universe unless the runtime itself provides a mechanism to do so.