Safe User-Generated Templates for Ruby and .NET
Unlike other templating engines that focus on given as much power as possible to the user, Liquid is designed to restrict what the user can do. The goal is to allow end-users to create their own templates without jeopardizing the security of the server.
Liquid was originally created for the eCommerce platform Shopify and has been in production use since 2006. Tim Jones ported the engine to .NET under the name DotLiquid. Both versions get their safety by not allowing templates to access the underlying platform. Instead they use a highly restricted instruction set that is primarily limited to simple functions, called “filters”, and conditional statements. The Liquid markup syntax is the same for both versions.
Rendering templates involves two steps. First the source code is parsed into a reusable Template object. Then when needed the template’s render method is called. Since templates have no access to Ruby/.NET variables, these have to be passed in using a dictionary of key-value pairs.
Developers can create their own filters to be leveraged by their users. New filters can be exposed to a specific template or registered globally. Either way, they are essentially a function that accepts and returns a string. New tag blocks are somewhat more complicated, requiring both an initialization and a rendering phase. Fortunately most of the messiness is handled by calls to the base class.
Jürgen Bäurle goes further, showing how to create SharePoint specific extensions for DotLiquid.
Looks useful - though somewhat hard for the end user to use directly
Liquid.NET is useful when the developers themselves want to customize the reports, to maybe suit multiple profiles. It is like a DSL - it's quicker to develop something in it, but you can't expect a teacher/principal/clerk/bank manager, who is busy enough doing her job, to use this to customize their templates.
Todd Montgomery Dec 19, 2014