Template engine: Difference between revisions
From LimeSurvey Manual
Line 27: | Line 27: | ||
{| | {| | ||
! Function !! Twig !! Mustache | ! Function !! Twig !! Mustache !! Underscore | ||
|- | |- | ||
| Echo variable || <nowiki>{{var}}</nowiki> || <nowiki>{{var}}</nowiki> | | Echo variable || <nowiki>{{var}}</nowiki> || <nowiki>{{var}}</nowiki> || <nowiki><%= var %></nowiki> | ||
|- | |- | ||
| Echo field in variable || <nowiki>{{var.field}}</nowiki> | | Echo field in variable || <nowiki>{{var.field}}</nowiki> or <nowiki>{{var['field']}}</nowiki> || <nowiki>{{#var}} {{field}} {{/var}}</nowiki> || | ||
|- | |- | ||
| Loop variable || {% for user in users %} ... {% endfor %} || {{#users}} ... <nowiki>{{/users}}</nowiki> | | Loop variable || {% for user in users %} ... {% endfor %} || {{#users}} ... <nowiki>{{/users}}</nowiki> || | ||
|- | |- | ||
| Branch on boolean || {% if trueOrFalse %} ... {% endif %} || {{#trueOfFalse}} ... <nowiki>{{/trueOrFalse}}</nowiki> | | Branch on boolean || {% if trueOrFalse %} ... {% endif %} || {{#trueOfFalse}} ... <nowiki>{{/trueOrFalse}}</nowiki> || | ||
|- | |- | ||
| Translate || Add a filter, like <nowiki>{{"Translate me"|eT}}</nowiki> || Bind eT to lambda and then {{#eT}} "String to translate"" <nowiki>{{/eT}}</nowiki> | | Translate || Add a filter, like <nowiki>{{"Translate me"|eT}}</nowiki> || Bind eT to lambda and then {{#eT}} "String to translate"" <nowiki>{{/eT}}</nowiki> || | ||
|- | |- | ||
| Include another template file || Include tag TODO || N/A | | Include another template file || Include tag TODO || N/A || | ||
|- | |- | ||
| Sandbox || Yes || Not needed | | Sandbox || Yes || Not needed || | ||
|} | |} | ||
Revision as of 21:54, 28 September 2016
Since Louis factored out all HTML from qanda and added a configuration file to the templates, it's a small task to add a template engine, replace the PHP views with e.g. Twig templates.
Use-case
- Template providers don't have to worry about core changes in the question view files
- Template providers can apply any CSS framework specific HTML they want, like Foundation
- User can show some question the way they want (with some html ability)
Requirements
Must have
- Template files in template zip packages can override question view files
- Template zip package can upload template files in template editor
- Actual views used in public part must use the template engine
Should have
- Possible to edit Twig/Mustache templates in template editor
- Use same tags as Backbone template engine (e.g. Underscore) (both Mustache and Twig can configure this, and Underscore too, for that matter (instructions))
Could have
- Include another file : the actual view use different files (see Talk)
Comparison between Twig and Mustache
Function | Twig | Mustache | Underscore |
---|---|---|---|
Echo variable | {{var}} | {{var}} | <%= var %> |
Echo field in variable | {{var.field}} or {{var['field']}} | {{#var}} {{field}} {{/var}} | |
Loop variable | {% for user in users %} ... {% endfor %} | {{#users}} ... {{/users}} | |
Branch on boolean | {% if trueOrFalse %} ... {% endif %} | {{#trueOfFalse}} ... {{/trueOrFalse}} | |
Translate | Add a filter, like {{"Translate me"|eT}} | Bind eT to lambda and then {{#eT}} "String to translate"" {{/eT}} | |
Include another template file | Include tag TODO | N/A | |
Sandbox | Yes | Not needed |
Security
Longer article about template injection: http://blog.portswigger.net/2015/08/server-side-template-injection.html
The lowest risk approach is to simply use a trivial template engine such as Mustache
About CPU load: It wold be easy for a template designer to make a loop within a loop within a loop etc, to exhaust the CPU power of the server. This vulnerability is in all template engines where you can loop an array (Mustache, Twig). To protect against this, the server should have a max script runtime set.
- BUT: Rendering PDF takes a long time, how to know the right limit?