node.js - Is server-side EJS safe to expose to end-users? -

node.js - Is server-side EJS safe to expose to end-users? -

i'd let end-users edit own website templates using ejs, since seems use evals , runs on server, i'm not sure if exposes major security problem.

if i'm correct it's problem, there templating engine safe expose end-users?

yeah, ejs security issue.

the vm module helpful here.

handlebars or mustache pretty popular, , might bit easier not-developer understand. jade awesome has eval issue , different html.

i recommend using handlebars or mustache in node "vm", careful considerations , execution time limit.

Comments