mustache(n) 1.1.3 "mustache.tcl"

Name

mustache - mustache templating engine

Table Of Contents

Synopsis

  • package require Tcl 8.5
  • package require lambda
  • package require mustache ?1.1.3?

Description

This package is a pure-Tcl implementation of the mustache templating engine spec which can be found at

https://github.com/mustache/spec/tree/master/specs

v1.1.3 of the spec and the optional lambda part are supported.

See http://mustache.github.io/ for further information on mustache.

PROCEDURES

The package defines the following public procedure:

::mustache::mustache template context ?libraryvar ...?

Process the mustache template with the given context. Mustache partials are supplied from variables in the scope of the caller; if such a variable doesn't exist, the libraryvar variables are consulted, in given order. Each library variable has to contain a dict of partials, where the key is the name of the partial; they may be in any scope, default is the scope of the caller.

SECURITY CONCERN:

Important: You have to read and understand this whether you plan to use lambdas or not - the security threat is always there, as it has its origins in user supplied content (which may be a lambda - at a malicious user's choice).

Because Tcl doesn't support explicit typing, there is no standard way to flag content as "executable" and neither "non-executable". The latter raises a security threat - Tcl injection, like in SQL injection - when handling user supplied contexts (read: always). To nullify that threat, take at least one of the following measures:

  • Make use of the lambda unsafe feature, see LAMBDA-UNSAFE SECTIONS below.

  • Put the whole template->output generator into a safe interpreter, e.g. by doing

    set mustacheinterp [::safe::interpCreate]
puts [$mustacheinterp eval {
	package require mustache
	set template {<h1>{{usercontent}},</h1>}
	set context [dict create usercontent {Λtcl {open "evildoing" w+}}]
	::mustache::mustache $template $context
}]

VARIABLES

The following public variables are defined:

set ::mustache::lambdaPrefix "Λtcl"

Stores the prefix used to detect a lambda in context. Can be changed should this ever be needed.

set ::mustache::lambdaUnsafe "λtcl"

Stores the prefix used to mark a section as lambda-unsafe. Can be changed should this ever be needed.

CONTEXT PROCESSING

Context values are processed before they are put into the template to render the output.

TEXTS

Context values that are texts are HTML-escaped after processing. This is required by the mustache spec and can be disabled selectively in some cases.

NUMBERS

Context values that are integers are treated as text for value tags. Context values that are doubles are treated as such for value tags: leading and trailing zeroes are removed as expected for numbers. This is required by the mustache spec and cannot be disabled.

BOOLEANS

Context values that are Tcl booleans (integers, "false", "true", "no", "yes") are treated as such for section tags (meaning they turn on/off section rendering). For value tags, they are treated as text resp. numbers.

LAMBDAS

Context values that are a Tcl list with the first element being the lambda prefix (usually "Λtcl") are treated as lambdas: the second list element is evaluated - for section tags, a variable "arg" is supplied to the lambda containing the verbatim section template content. The result is treated as it was a context value itself.

LAMBDA-UNSAFE SECTIONS

These are ordinary sections with an lambda unsafe marker (usually "λtcl") on start of their context. Lambdas within those sections are always substituted from the context outside the section. This makes it safe to use programmer defined lambdas mixed with user content. The lambda unsafe marker is removed for simple list contexts so it doesn't interfere with processing iterator sections.

Lambda-unsafe section

set context {safelambda {Λtcl {expr [join $arg *]}} unsafe {
	λtcl false userdata {Λtcl {return "I do evil things with your $arg"}}}}
set template {{{#unsafe}}{{#userdata}}1 2 3 4 5 6{{/userdata}}|{{#safelambda}}1 2 3 4 5 6{{/safelambda}}{{/unsafe}}}
::mustache::mustache $template $context

The "false" after the λtcl unsafe marker is needed only to keep the "key value key value" rhythm of the context dict intact. The value associated with the key λtcl is ignored.

Lambda-unsafe iterator section

set userdata {nice nicetoo Λtcl {return "I do evil things"}}
set context [dict create unsafe [concat λtcl $userdata]]
set template {"{{#unsafe}}{{.}}|{{/unsafe}}"}
::mustache::mustache $template $context

EXAMPLES

See the examples.tcl file in the installation directory or at

https://github.com/ianka/mustache.tcl/blob/master/examples.tcl.

Keywords

html, template processing