Sumana, Sorry for my late reply but since you asked for corrections, here are a couple.
>Mustache.js is a popular modern choice. Not really, mustache has many lack-offs that prevent it from being a popular choice, among them the lack of a server side compiler and if/else constructs. Handlebars is a lot more popular. Also twitters flavor of a string based engine: http://twitter.github.io/hogan.js/ >One approach treats HTML as a string ("here's a >bunch of bytes to interpolate"). From a security perspective, this is >dangerously easy to have vulnerabilities in, because you just naively >insert strings. This is not correct. String based systems escape the strings they are interpolating by default. Take a look at escaping of what is the most popular string-based engine, handlebars: https://github.com/wycats/handlebars.js/ On Wed, Mar 19, 2014 at 4:27 AM, Sumana Harihareswara <[email protected] > wrote: > I'm trying to understand what our current situation is and what our > choices are around HTML templating systems and MediaWiki, so I'm gonna > note what I think I understand so far in this mail and then would love > for people to correct me. TL;DR - did we already consense on a > templating system and I just missed it? > > Description: An HTML templates system (also known as a templating > engine) lets you (the programmer) write something that looks more like a > document than it looks like code, then has hooks/entry points/macro > substitution points (for user input and whatnot) that then invoke code, > then emits finished HTML for the browser to render. > > Examples: PHP itself is kinda a templating language. In the PHP world, > Smarty is a somewhat more mature/old-school choice. Mustache.js is a > popular modern choice. And in other languages, you'd pick a lot of the > MVC frameworks that are popular, e.g. Django or Jinja in Python. > > Spectrum of approaches: One approach treats HTML as a string ("here's a > bunch of bytes to interpolate"). From a security perspective, this is > dangerously easy to have vulnerabilities in, because you just naively > insert strings. Then on the other end of the spectrum, you have code > that always keeps the document object model (DOM) in memory, so the > programmer is abstractly manipulating that data model and passing around > an object. Sure, it spits out HTML in the end, but inherent in the > method for turning those objects into HTML is a sanitization step, so > that's inherently more secure. There's some discussion at > https://www.mediawiki.org/wiki/Parsoid/Round-trip_testing/Templates . I > presume we want the latter, but that the former model is more performant? > > We talked about this stuff in > https://www.mediawiki.org/wiki/Architecture_meetings/RFC_review_2014-02-21 > and > > https://www.mediawiki.org/wiki/Talk:Architecture_Summit_2014/HTML_templating#Wrap_up:_Next_steps > . Based on that plus > > https://www.mediawiki.org/wiki/Architecture_Summit_2014/RFC_clusters#HTML_templating > it seems like we are supposed to get consensus on which system(s) to > use, and we kind of have four things we could choose: > > * oojs - https://www.mediawiki.org/wiki/OOjs_UI -- could use this > toolkit with one of the template approaches below, or maybe this is > enough by itself! Currently used inside VisualEditor and I am not sure > whether any other MediaWiki extensions or teams are using it? This is a > DOM-based templating system. > > Template approaches which are competing?: > * MVC framework - Wikia has written their own templating library that > Wikia uses (Nirvana). Owen Davis is talking about this tomorrow in the > RFC review meeting. > https://www.mediawiki.org/wiki/Requests_for_comment/MVC_framework > * mustache.js stuff - Ryan Kaldari and Chris Steipp mentioned this I think? > * Knockout-compatible implementation in Node.js & PHP > > https://www.mediawiki.org/wiki/Requests_for_comment/HTML_templating_library/KnockoutProposal#Longer-term_architecture > and > > https://www.mediawiki.org/wiki/Requests_for_comment/HTML_templating_library/Knockoff_-_Tassembly > , being worked on by Gabriel Wicke, Matt Walker, and others. DOM-based. > > There's also an OutputPage refactor suggested in > https://www.mediawiki.org/wiki/Requests_for_comment/OutputPage_refactor > that's part of the HTML Templating RFC Cluster > > https://www.mediawiki.org/wiki/Architecture_Summit_2014/RFC_clusters#HTML_templating > . > > I guess my biggest question right now is whether I have all the big > moving parts right in my summary above. Thanks. > > -- > Sumana Harihareswara > Senior Technical Writer > Wikimedia Foundation > > _______________________________________________ > Wikitech-l mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
