tldr; Gabriel Wicke and I completed the first iteration last week of our
intermediate templating language. The runtime is available in both
JavaScript [1] *and* PHP [2]. We're still working on optimizing the PHP
version, but the JS version is already the fastest of anything we've bench
marked [3][4].
If you don't know what I'm talking about... :)
For a while the foundation has been debating which templating language we
should standardize on [5]. The basic requirements are that it needs to be
able to render content in both JS and PHP, it needs to be fast, it needs to
be small, and it needs to be secure.
After considering all the existing solutions we determined that no solution
fulfills all the desired requirements. Popular libraries like handlebars or
hogan as used by Flow and Mobile are missing principled escaping, which
leaves escaping of user-provided data to the template writer. XSS
vulnerabilities need to be avoided with discipline and manual security
review. We decided to see if we could make something with automatic
escaping, that is more easily coupled into the MediaWiki enviornment, and
address future uses in VisualEditor and reactive pages.
Our solution comes in two parts; 1) a compiler into an intermediate
language, and 2) an runtime to turn the intermediate language into HTML.
This email is about the second part, TAssembly (template assembly
language), which is a generic intermediate runtime which processes a JSON
structure that can be quickly reassembled into HTML using only string
replacement. Contextual information is placed into the structure at compile
time to ensure proper escaping regardless of the source of the data. Other
static details compiled into TAssembly, such as information about i18n
strings and partial templates, can be extracted in order to help delivery
systems like ResourceLoader more efficiently push content.
The TAssembly runtimes are available at [1] and [2].
The javascript implementation of a KnockoutJS to TAssembly compiler is
available at [6].
Although other compilers could be written, see the discussion about the
benefits of KnockoutJS (syntax and optional runtime) and our rationale for
using DOM based templating compiled to a string based intermediate at [7].
Our next steps will be:
- to continue to iterate on improving performance
- integrate with ResourceLoader for template blob delivery
- write the Knockoff client library for mediawiki integration (i18n
availability mostly)
- port the compiler to PHP for better integration or provide some sort of
service based compilation
- support blessing of objects in the data model
[1]
https://github.com/gwicke/tassembly
[2]
https://github.com/mattofak/knockoff
[3]
https://www.mediawiki.org/wiki/Requests_for_comment/HTML_templating_library…
[4] test framework:
https://github.com/gwicke/TemplatePerf
[5]
https://www.mediawiki.org/wiki/Requests_for_comment/HTML_templating_library
[6]
https://github.com/gwicke/tassembly
[7]
https://www.mediawiki.org/wiki/Requests_for_comment/HTML_templating_library…
~Matt Walker
Wikimedia Foundation
Fundraising Technology Team