Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Safe User-Generated Templates for Ruby and .NET

Safe User-Generated Templates for Ruby and .NET

This item in japanese

Unlike other templating engines that focus on given as much power as possible to the user, Liquid is designed to restrict what the user can do. The goal is to allow end-users to create their own templates without jeopardizing the security of the server.

Liquid was originally created for the eCommerce platform Shopify and has been in production use since 2006. Tim Jones ported the engine to .NET under the name DotLiquid. Both versions get their safety by not allowing templates to access the underlying platform. Instead they use a highly restricted instruction set that is primarily limited to simple functions, called “filters”, and conditional statements. The Liquid markup syntax is the same for both versions.

Rendering templates involves two steps. First the source code is parsed into a reusable Template object. Then when needed the template’s render method is called. Since templates have no access to Ruby/.NET variables, these have to be passed in using a dictionary of key-value pairs.

Developers can create their own filters to be leveraged by their users. New filters can be exposed to a specific template or registered globally. Either way, they are essentially a function that accepts and returns a string. New tag blocks are somewhat more complicated, requiring both an initialization and a rendering phase. Fortunately most of the messiness is handled by calls to the base class.

Jürgen Bäurle goes further, showing how to create SharePoint specific extensions for DotLiquid.

Rate this Article