Rendering JavaScript templates

Question

I wish to display a popup when the user hovers over a particular link.

To do so, I first request the particular JSON data from the server via Ajax.

The server queries the DB, and escapes any data which happens to be user provided using htmlspecialchars(), and echos json_encode($data).

The client then assembles the HTML using the below template.

The client then displays the popup.

My question only relates to rendering the template.

Is there a better approach which will provide one or all of the following benefits?

Templates are more readable.
Templates are easier to maintain.
Templates can be extended.
Custom methods to display phone numbers, etc need not be created.
Site is safer from an XSS respective.
htmlspecialchars escaping is moved from the server to the client.
Other benefits which I have not even thought of?

Thank you

function getTemplate(type,json) {
    switch(type) {
        case 'person':
            return 'Name:
'+((d.firstname&&json.lastname)?json.firstname+' '+json.lastname:((json.firstname)?json.firstname:json.lastname))+''
            +'Account:
'+json.account_name+''
            +((json.title)?'Title:
'+json.title+'':'')
            +'User Name:
'+json.username+''
            +'Password:
'+json.password+''
            +'Communication Method:
'+json.communication_method+''
            +((json.email)?'Email:
'+json.email+'':'')
            +((json.account_phone)?'Account Phone:
'+ayb.display_phone(json.account_phone)+'':'')
            +((json.phone)?'Direct Phone:
'+ayb.display_phone(json.phone)+'':'')
            +((json.mobile_phone)?'Mobile Phone:
'+ayb.display_phone(json.mobile_phone)+'':'')
            +((json.account_fax)?'Account Fax:
'+ayb.display_phone(json.account_fax)+'':'')
            +((json.fax)?'Direct Fax:
'+ayb.display_phone(json.fax)+'':'')
            +((json.address || json.location)?'Address:
'+json.address+((json.address && json.location)?'
':'')+json.location+'':'')
            +'';
            break;
        case 'company':
            return 'bla bla bla';
            break;
        case 'somethingElse':
            return 'bla bla bla';
            break;
            return 'Invalid Template';
    }
}

Ammaroff · Accepted Answer

Here is one using mustache.js :

http://plnkr.co/m0NyrpTcKhIicTt0FD4N

html:

Name:
{{firstname}} {{lastname}} 
Account:
{{account_name}}
{{#title}}
    Title:
{{title}}
{{/title}}
User Name:
{{username}}
Password:
{{password}}
Communication Method:
{{communication_method}}
{{#email}}
    Email:
{{email}}
{{/email}}
{{#account_phone}}
    Account Phone:
{{#display_phone}}{{account_phone}}{{/display_phone}}
{{/account_phone}}

json :

  var json = {
        "firstname": "Basha",
        "lastname": "tasha",
        "account_name":"presonal",
        "title":"MR",
        "username":"basha",
        "password":"******",
        "communication_method":"phonexss safe",
        "account_phone": "1231231234"
    };

js:

$(document).ready(function () {
var output = $("#output");
type = "person";
var template = $("#"+type).html();

if(template == undefined) template = "Invalid Template";

//you can inject client side callback for phone render before calling Mustache.render(template,json)

  json.display_phone= function () {
   return function (val, render) {
       var phone = render(val);
            return phone.replace(/(\d{3})(\d{3})(\d{4})/, '$1-$2-$3');

        }
    };
    var html = Mustache.render(template, json);

    output.append(html);

 });

It's XSS safe

Kindly note that custom method is sent in the json data "display_phone"

Rendering JavaScript templates

Answers (1)

Related Questions