Reputation: 7478
Security concerns for jsRender inside node.js process
I have node.js app like chat, and i need to make something similar to templates. So any user can make own template that will be rendered later.
So i have two ways:
I can go with regular string replace and replace predefined parameters with actual values
I can use
jsRenderand just allow user to specifyjsRendertemplates with disabled code executions.
I more prefer second approach as it's more flexible, but i'm concerned that user might specify some evil javascript code that will be executed by jsRender on server side and it might leak data.
So is jsRender is secure to run on node.js server and allow users to specify their own templates that will be executed on server side?
Upvotes: 0
Views: 107
Answers (1)
Reputation: 8524
JsRender is designed to make it impossible for user-defined templates to run arbitrary code.
You must of course leave the allowCode settings option at its default value, false (See http://www.jsviews.com/#settings/allowcode and http://www.jsviews.com/#allowcodetag@tmpl).
Users can include rich template expressions in the template, but they won't be able to insert code that accesses any variables (or runs any methods) that are outside of the template scope. They can only access the contextual data/model, use the standard operators, and use any helper methods and variables which you (the author) decide to provide.
Upvotes: 2
Related Questions
- Node.js server side code protection
- How to run untrusted code serverside?
- Working with API's in Node, security of var
- Safely sandbox and execute user submitted JavaScript?
- node.js code protection
- How secure or insecure is this JavaScript code if run on the server (nodeJS)?
- How to run user-submitted modules securely in a node.js?
- How to run user-submitted scripts securely in a node.js
- jsRender and node.js
- Security Issue if Javascript evaluated by Java on the Server