Disable access to NodeJS globals with option parameter

[zefir-git]

EJS modules cannot use NodeJS functions like require, however, other global variables such as process, this.process, global.process are accessible.

I am creating a feature in my application and I would like to allow people to use EJS to access only some variables that I specify (via the data argument) without having to containerise each page to isolate the file system.

It would be great to see an option like safe: <Boolean> which when true does not expose access to server-side data (such as the process object).

Not sure if this is standard behaviour, but by setting the root option to /abc/xyz I was still able to use EJS <%- include("../file.txt") %> in /abc/xyz/ejs-file.ejs to access /abc/file.txt.

Suggested labels: enhancement, question

[zefir-git]

A partial solution is to override such global variables e.g. ejs.renderFile(file, {process:undefined, global:undefined}, ...), however, this still allows for this.global and this.process.

My only other option is to not use EJS and instead allow users to add placeholders to their pages which are then replaced with my variables. This, however, does not allow for modification of the data from my variables; e.g. let's say I have a variable {date: new Date()}, with EJS I could allow users to do things like <%= date.getTime() %>, which is something that I like.

[RyanZim]

Yeah, EJS is not designed for use with user-supplied templates in a server environment; you are opening yourself up to a bunch of vulnerabilities by doing that. Not using EJS would be the best solution here.