Safe User-Generated Templates for Ruby and .NET

by Jonathan Allen on Dec 06, 2011 |

Unlike other templating engines that focus on given as much power as possible to the user, Liquid is designed to restrict what the user can do. The goal is to allow end-users to create their own templates without jeopardizing the security of the server.

Liquid was originally created for the eCommerce platform Shopify and has been in production use since 2006. Tim Jones ported the engine to .NET under the name DotLiquid. Both versions get their safety by not allowing templates to access the underlying platform. Instead they use a highly restricted instruction set that is primarily limited to simple functions, called “filters”, and conditional statements. The Liquid markup syntax is the same for both versions.

Rendering templates involves two steps. First the source code is parsed into a reusable Template object. Then when needed the template’s render method is called. Since templates have no access to Ruby/.NET variables, these have to be passed in using a dictionary of key-value pairs.

Developers can create their own filters to be leveraged by their users. New filters can be exposed to a specific template or registered globally. Either way, they are essentially a function that accepts and returns a string. New tag blocks are somewhat more complicated, requiring both an initialization and a rendering phase. Fortunately most of the messiness is handled by calls to the base class.

Jürgen Bäurle goes further, showing how to create SharePoint specific extensions for DotLiquid.

Related Editorial

eBook: The New Kingmakers - How Developers Conquered the World

Making the Shift from Relational to NoSQL

Extend Your Java EE Apps with a Mobile Web Interface

Why NoSQL - Three Trends Disrupting the Database Status Quo

Infographic: Just How Big is the Nerd Economy

Related Sponsor

Get code level visibility into your web apps. All for free.

Try New Relic Today.

Hello stranger!

You need to Register an InfoQ account or to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Community comments

Looks useful - though somewhat hard for the end user to use directly by Roopesh Shenoy Posted

Re: Looks useful - though somewhat hard for the end user to use directly by Roopesh Shenoy Posted

Looks useful - though somewhat hard for the end user to use directly by Roopesh Shenoy

We just use RTF templates when we need flexibility - sure it's a hassle parsing the RTF document, but our users find it much easier to customize their report templates.

Liquid.NET is useful when the developers themselves want to customize the reports, to maybe suit multiple profiles. It is like a DSL - it's quicker to develop something in it, but you can't expect a teacher/principal/clerk/bank manager, who is busy enough doing her job, to use this to customize their templates.

Re: Looks useful - though somewhat hard for the end user to use directly by Roopesh Shenoy

Of course that's for reports to be printed - web templates are out of the question.