search

olado / doT

The fastest + concise javascript template engine for nodejs and browsers. Partials, custom delimiters and more.
Other
5.01k stars 1.02k forks source link

AMP integration with Dot JS #279

Closed durr04 closed 4 years ago

durr04 commented 6 years ago

Hello @olado

I was working on Goole AMP. CAn we integrate AMP with Dot JS. Can we use alone Dot JS with AMP or with any other combintion with Express JS or like that?

Please let me know your thoughts on this.

cekvenich commented 5 years ago

AMP does not allow .js. AMP does have a mustache example - because they host it.

epoberezkin commented 4 years ago

doT is supposed to be used to pre-compile the templates during build or boot strapping time in node, definitely not on the client side

dan-silk-discovery commented 4 years ago

doT is supposed to be used to pre-compile the templates during build or boot strapping time in node, definitely not on the client side

I've never heard this before. I've absolutely used it in browser in previous projects. I'm not actively using this now, but even if this was a "suggestion" originally, all open-source code should be deemed "buyer beware." As long as data from output generated by doT is properly handled, there should be no reason it can't be used in the browser. I didn't use it for anything that would be returned to the server so it's more or less safe to use for basic output generation.

cekvenich commented 4 years ago

I also use it only on the browser.

epoberezkin commented 4 years ago

You can use it in browser of course, as long as you don’t use user data to generate templates. It is much more efficient though to use pre-compiled templates and just bundle code to browser, not the actual templates and not the library itself.

Re “buyer beware” - all open source code is provided as is, without any warranties stated or implied, so it is indeed users’ responsibility (not buyers’).

cekvenich commented 4 years ago

Buyers and users is same, you meant sellers.

I compile and the reuse in the page.

epoberezkin commented 4 years ago

Users would be buyers if they paid money for the license :) Open-source software users are not buyers, even if they donate money.

You absolutely can use doT in the way it works for you, but there may be unknown potential vulnerabilities (no known vulnerabilities though), as the doc explains, if you use doT in the client because it generates executable code - this creates risk of code injection. Hence the recommendation to pre-compile all templates at build step.

Some applications choose to prevent Function constructor / eval from working via Content Security Policy (script-src) - doT would not work in this case at all.