允许客户编辑Handlebar.js模板的安全性如何 [英] How safe is to allow customer edit Handlebar.js template

问题描述

我构建的Rails应用程序需要允许用户编辑页面模板。

主要关心的是允许客户编辑的安全程度模板。因此，erb模板不在等式中。

我曾看过液体标记和Handlebars.js。这里有一个很好的Rails整合手柄 https://github.com/jamesarosen/handlebars-rails。

我宁愿使用把手。有人可以确认让客户编辑车把模板是否安全吗？

解决方案

由于Handlebars.js不包含任何Ruby代码这是需要避免的 - 是的，它对服务器端是安全的。

由于Handlebars.js（和其他模板引擎一样）允许用户更改HTML标记（插入< script> ，< iframe> ） - 不，对客户端来说不安全（除非您有一些额外的消毒）

The Rails application that I am building need to allow the users to edit the page template.

The main concern is about how safe it is to allow the customers edit the templates. So that puts the erb templates out of the equation.

I had looked at liquid markup and Handlebars.js. There is a nice Rails integration for handlebars here https://github.com/jamesarosen/handlebars-rails .

I would prefer to use handlebars. Can somebody confirm if it is safe to let customers edit handlebar templates?

解决方案

Since Handlebars.js doesn't contain any Ruby code that needs to be evaled — yes, it's safe for server side.

Since Handlebars.js (as any other templating engine) allows user to change HTML markup (insert <script>, <iframe>) — no, it's not safe for client side (unless you have some additional sanitizing)

这篇关于允许客户编辑Handlebar.js模板的安全性如何的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！