Rails End-User Templating Engines: Liquid vs Mustache vs. Others?
I am creating a service in which I want to allow end-users to edit HTML templates for web pages that allows for access to specific "variables" for inclusion in the template.
I know that liquid was designed for this very purpose, is secure (at least relatively), and is in heavy production use. However, I find the language to be fairly complex for end-users as compared to something like Mustache.
Mustache sounds great, but I am concerned about security... has it ever been used for end-user templates?
Basically I am looking for a templating engine I can use w/ Rails for end-users that is:
- Secure - will not a开发者_如何学运维llow the execution of code by the user... at least not on the server. Users will be allowed to insert client-side javascript.
- Powerful - allows end-users to create pretty much any web page they can imagine using the supplied "variables" and within the context of #1
- Simple - the syntax is clear and easy for end-users to apply
- Bonus points if there is support for rendering the template syntax in javascript and other languages.
Liquid meets 1 & 2, but not 3-4. Mustache meets 2-4, but I'm not sure about #1 and that is non-negotiable.
Greatly appreciate any insights, experiences, or comments.
Mustache is fantastic for interpolation and I can't imagine it ever exposing you to server-side vulnerabilities if you're using it for Javascript evaluation. It's the simplest, most powerful option. I don't know that non-programmers would understand it, but I'm sure it's simpler than Liquid.
Another option would be to use an existing simpler user markup set like BBcode or a rich-text editing library like TinyMCE. These are much reduced in functionality, but are easier to use for average people.
精彩评论