Is this secure to use with user generated templates?

[turbobuilt]

Hi, I'm looking at using this library to render user created templates with data I supply. I'm wondering if this library would work or if there are ways that users could insert malicious code and trick mustache.js into executing it.

The only security issue I could find was the fact that templates could be caused to infinitely load one another, but if I only let users control the top-level template, but not sub-templates, I think I would be OK. I did not see a way to execute raw JS, but I would like to hear from an expert with this before committing to use it.

[phillipj]

I did not see a way to execute raw JS

I think you've come to the right conclusion.

I can't think of any way to tell mustache to execute JavaScript code specified in the templates themselves. That would also counteract much of what was the holy grail with mustache back in the day: rendering the exact same templates on different runtimes, be it java or C# on the server and javascript in the browser.

One of mustache' mission was to be logic less and opposite of clever. Allowing whatever code to be provided inside the template, doesn't sound like something that would fit that mission either from my point of view.

I could imagine dynamic code to be executed by mustache upon render when using mustache functions, but those would have to be declared on the data side of things, not inside the templates -- and you've said that you're the only one providing the data for rendering.

[Bessonov]

@turbobuilt how do your solution looks like?