javascriptnode.jsmarko

Is it secure to give the user option to edit Marko template?


I want to make the marko template editable by clients. I know that user can add scripts, and XSS issue. The question is about server side.

If I run marko template from nodejs, and the template came from one user. Is it possible that the template will eval malicious code on the server?

In other words: How can I prevet the user from doing something like that:

<if test="require('readFileSync').deleteAllMyFile...">
   Hi
</if>

Solution

  • Marko allows arbitrary JavaScript code inside templates by design (for performance reasons). For now, that makes compiled Marko templates not suitable for use in situations where templates are not trusted. However, since this has come up a few times, we are exploring the option of making compiled templates safe by loading them in a sandbox. You can follow that discussion as part of the following Github issue: https://github.com/marko-js/marko/issues/192