Closed zefir-git closed 2 years ago
A partial solution is to override such global variables e.g. ejs.renderFile(file, {process:undefined, global:undefined}, ...)
, however, this still allows for this.global
and this.process
.
My only other option is to not use EJS and instead allow users to add placeholders to their pages which are then replaced with my variables. This, however, does not allow for modification of the data from my variables; e.g. let's say I have a variable {date: new Date()}
, with EJS I could allow users to do things like <%= date.getTime() %>
, which is something that I like.
Yeah, EJS is not designed for use with user-supplied templates in a server environment; you are opening yourself up to a bunch of vulnerabilities by doing that. Not using EJS would be the best solution here.
EJS modules cannot use NodeJS functions like
require
, however, other global variables such asprocess
,this.process
,global.process
are accessible.I am creating a feature in my application and I would like to allow people to use EJS to access only some variables that I specify (via the
data
argument) without having to containerise each page to isolate the file system.It would be great to see an option like
safe: <Boolean>
which when true does not expose access to server-side data (such as the process object).Not sure if this is standard behaviour, but by setting the
root
option to/abc/xyz
I was still able to use EJS<%- include("../file.txt") %>
in/abc/xyz/ejs-file.ejs
to access/abc/file.txt
.Suggested labels: enhancement, question