BT

InfoQ Homepage News Safe User-Generated Templates for Ruby and .NET

Safe User-Generated Templates for Ruby and .NET

Bookmarks

Unlike other templating engines that focus on given as much power as possible to the user, Liquid is designed to restrict what the user can do. The goal is to allow end-users to create their own templates without jeopardizing the security of the server.

Liquid was originally created for the eCommerce platform Shopify and has been in production use since 2006. Tim Jones ported the engine to .NET under the name DotLiquid. Both versions get their safety by not allowing templates to access the underlying platform. Instead they use a highly restricted instruction set that is primarily limited to simple functions, called “filters”, and conditional statements. The Liquid markup syntax is the same for both versions.

Rendering templates involves two steps. First the source code is parsed into a reusable Template object. Then when needed the template’s render method is called. Since templates have no access to Ruby/.NET variables, these have to be passed in using a dictionary of key-value pairs.

Developers can create their own filters to be leveraged by their users. New filters can be exposed to a specific template or registered globally. Either way, they are essentially a function that accepts and returns a string. New tag blocks are somewhat more complicated, requiring both an initialization and a rendering phase. Fortunately most of the messiness is handled by calls to the base class.

Jürgen Bäurle goes further, showing how to create SharePoint specific extensions for DotLiquid.

Rate this Article

Adoption
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Community comments

  • Looks useful - though somewhat hard for the end user to use directly

    by Roopesh Shenoy /

    • Re: Looks useful - though somewhat hard for the end user to use directly

      by Roopesh Shenoy /

      • Looks useful - though somewhat hard for the end user to use directly

        by Roopesh Shenoy /

        Your message is awaiting moderation. Thank you for participating in the discussion.

        We just use RTF templates when we need flexibility - sure it's a hassle parsing the RTF document, but our users find it much easier to customize their report templates.

        Liquid.NET is useful when the developers themselves want to customize the reports, to maybe suit multiple profiles. It is like a DSL - it's quicker to develop something in it, but you can't expect a teacher/principal/clerk/bank manager, who is busy enough doing her job, to use this to customize their templates.

      • Re: Looks useful - though somewhat hard for the end user to use directly

        by Roopesh Shenoy /

        Your message is awaiting moderation. Thank you for participating in the discussion.

        Of course that's for reports to be printed - web templates are out of the question.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

BT

Is your profile up-to-date? Please take a moment to review and update.

Note: If updating/changing your email, a validation request will be sent

Company name:
Company role:
Company size:
Country/Zone:
State/Province/Region:
You will be sent an email to validate the new email address. This pop-up will close itself in a few moments.