search

Ajedi32 / metalsmith-metafiles

A Metalsmith plugin to read file metadata from separate files (as an alternative to frontmatter)
MIT License
6 stars 2 forks source link

When adding support for executable metadata formats, consider gray-matter style `eval` option #7

Closed Ajedi32 closed 8 years ago

Ajedi32 commented 8 years ago

Basically a way to make the plugin safe to use on untrusted site data.

Ajedi32 commented 8 years ago

Eh, I think I'm actually going to hold off on this for now, mainly because I'm not sure how a system to make Metalsmith safe to use on untrusted site data would even work in the first place.

If the untrusted site has control of the metalsmith.json file, it could simply set the eval option on this plugin, rendering the currently proposed implementation useless. And if they don't have control of the metalsmith.json file, then you don't need this option at all; just don't enable the executable metadata formats and you should be safe.