Is there a JavaScript HTML template that supports both null-coalescing ("undefined") and protects against XSS?

I was looking for a JavaScript templating engine and selected DoT.js (mainly because it is very fast ) but had the following problems

  • Null safe / Undefined safe / null-coalescing . As of Freemarker / VTL, I want to be able to pass and not worry about checking foo, and are defined, for example avoid things like

    {{ var val='';try{ }catch(){} }}{{= val}}

    which I feel bad about, or

    {{= typeof foo !== 'undefined'?typeof!=='undefined'?typeof!=='undefined'?' is undefined':' is undefined':'foo is undefined'}}

    which I'm not sure if I'm feeling better or worse about

  • I want to have good XSS protection and just as fast DoT.js doesn't use the DOM, even with {{! }}, I don't feel comfortable that all XSS in the world will be handled by find and replace (like what if the author missed something)

    The documentation , although it's very fast, it's not that popular (yet), but the sources are so small that you can figure out most things just by reading them, but having a good community is a big benefit.

Which JavaScript templating library meets these two requirements and is still considered fast?


source to share

2 answers benchmarks good against other templating systems and context-sensitive auto-safe to prevent XSS.

You can see from the matching set that it combines undefined




mustache.js - Logical templates with {{mustache}} with JavaScript.

1) If the key exists and is null, undefined, or false, or it is an empty list, the block will not be displayed.

2) By default, all variables are HTML escaped. If you want to display unescaped HTML, use the triple mustache: {{{name}}}. You can also use unescape on a variable.




All Articles