Sumana,
Sorry for my late reply but since you asked for corrections, here are a
couple.
Mustache.js is a popular modern choice.
Not
really, mustache has many lack-offs that prevent it from being a
popular choice, among them the lack of a server side compiler and if/else
constructs. Handlebars is a lot more popular. Also twitters flavor of a
string based engine:
http://twitter.github.io/hogan.js/
One approach treats HTML as a string ("here's
a
bunch of bytes to interpolate"). From a security perspective, this is
dangerously easy to have vulnerabilities in, because you just naively
insert strings.
This is not correct. String based systems escape the strings they
are
interpolating by default.
Take a look at escaping of what is the most popular string-based engine,
handlebars:
https://github.com/wycats/handlebars.js/
On Wed, Mar 19, 2014 at 4:27 AM, Sumana Harihareswara <sumanah(a)wikimedia.org
wrote:
I'm trying to understand what our current
situation is and what our
choices are around HTML templating systems and MediaWiki, so I'm gonna
note what I think I understand so far in this mail and then would love
for people to correct me. TL;DR - did we already consense on a
templating system and I just missed it?
Description: An HTML templates system (also known as a templating
engine) lets you (the programmer) write something that looks more like a
document than it looks like code, then has hooks/entry points/macro
substitution points (for user input and whatnot) that then invoke code,
then emits finished HTML for the browser to render.
Examples: PHP itself is kinda a templating language. In the PHP world,
Smarty is a somewhat more mature/old-school choice. Mustache.js is a
popular modern choice. And in other languages, you'd pick a lot of the
MVC frameworks that are popular, e.g. Django or Jinja in Python.
Spectrum of approaches: One approach treats HTML as a string ("here's a
bunch of bytes to interpolate"). From a security perspective, this is
dangerously easy to have vulnerabilities in, because you just naively
insert strings. Then on the other end of the spectrum, you have code
that always keeps the document object model (DOM) in memory, so the
programmer is abstractly manipulating that data model and passing around
an object. Sure, it spits out HTML in the end, but inherent in the
method for turning those objects into HTML is a sanitization step, so
that's inherently more secure. There's some discussion at
https://www.mediawiki.org/wiki/Parsoid/Round-trip_testing/Templates . I
presume we want the latter, but that the former model is more performant?
We talked about this stuff in
https://www.mediawiki.org/wiki/Architecture_meetings/RFC_review_2014-02-21
and
https://www.mediawiki.org/wiki/Talk:Architecture_Summit_2014/HTML_templatin…
. Based on that plus
https://www.mediawiki.org/wiki/Architecture_Summit_2014/RFC_clusters#HTML_t…
it seems like we are supposed to get consensus on which system(s) to
use, and we kind of have four things we could choose:
* oojs -
https://www.mediawiki.org/wiki/OOjs_UI -- could use this
toolkit with one of the template approaches below, or maybe this is
enough by itself! Currently used inside VisualEditor and I am not sure
whether any other MediaWiki extensions or teams are using it? This is a
DOM-based templating system.
Template approaches which are competing?:
* MVC framework - Wikia has written their own templating library that
Wikia uses (Nirvana). Owen Davis is talking about this tomorrow in the
RFC review meeting.
https://www.mediawiki.org/wiki/Requests_for_comment/MVC_framework
* mustache.js stuff - Ryan Kaldari and Chris Steipp mentioned this I think?
* Knockout-compatible implementation in Node.js & PHP
https://www.mediawiki.org/wiki/Requests_for_comment/HTML_templating_library…
and
https://www.mediawiki.org/wiki/Requests_for_comment/HTML_templating_library…
, being worked on by Gabriel Wicke, Matt Walker, and others. DOM-based.
There's also an OutputPage refactor suggested in
https://www.mediawiki.org/wiki/Requests_for_comment/OutputPage_refactor
that's part of the HTML Templating RFC Cluster
https://www.mediawiki.org/wiki/Architecture_Summit_2014/RFC_clusters#HTML_t…
.
I guess my biggest question right now is whether I have all the big
moving parts right in my summary above. Thanks.
--
Sumana Harihareswara
Senior Technical Writer
Wikimedia Foundation
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l