[ANN] Xslate template engine for golang
412 views
Skip to first unread message
Daisuke Maki
Mar 27, 2014, 10:47:26 AM3/27/14
to golan...@googlegroups.com
Hi Gophers!
I'm currently developing Go port of Text::Xslate (http://xslate.org), which is an extremely fast and flexible template engine originally for Perl5. In recent days my Go port has been coming to a point where it's starting to be /almost/ usable -- and I've already pushed it to some small production system, and now with some prodding from my friend, I decided to share it here.
The source code can be found on github: https://github.com/lestrrat/go-xslate
Godoc is here: http://godoc.org/github.com/lestrrat/go-xslate
Some notable features:
1) fast! http://twitter.com/lestrrat/status/449190560184541185.
2) Implemented based on a VM/ByteCode scheme. Once templates are compiled into ByteCode, it can be reused which is part of reason why it's fast.
3) You do not need to pre-compile templates. Xslate can go and look for templates on the filesystem (if you write code for it, you can fetch it from the database). Templates are checked for freshness, so you can safely expect Xslate to show you the latest template when you update them on disk.
4) Flexible template language: Currently it supports a subset of TTerse syntax (https://metacpan.org/pod/Text::Xslate::Syntax::TTerse). Notably MACRO/BLOCK and most of the virtual methods are not implemented yet, but stuff that most simple templates require are already there. Please refer to this wiki page for what syntax is supported: https://github.com/lestrrat/go-xslate/wiki/Supported-Syntax-(TTerse)
ATM the error reporting is pretty much non-existent (I intend to fix it soon-ish), so this is not for the faint of the heart yet. But if you have dabbled with Template-Toolkit and/or Text::Xslate before, this may be of interest to you.
Any feedback, encouragement, pullreqs are much, much, much appreciated.
Regards,
--d
I'm currently developing Go port of Text::Xslate (http://xslate.org), which is an extremely fast and flexible template engine originally for Perl5. In recent days my Go port has been coming to a point where it's starting to be /almost/ usable -- and I've already pushed it to some small production system, and now with some prodding from my friend, I decided to share it here.
The source code can be found on github: https://github.com/lestrrat/go-xslate
Godoc is here: http://godoc.org/github.com/lestrrat/go-xslate
Some notable features:
1) fast! http://twitter.com/lestrrat/status/449190560184541185.
2) Implemented based on a VM/ByteCode scheme. Once templates are compiled into ByteCode, it can be reused which is part of reason why it's fast.
3) You do not need to pre-compile templates. Xslate can go and look for templates on the filesystem (if you write code for it, you can fetch it from the database). Templates are checked for freshness, so you can safely expect Xslate to show you the latest template when you update them on disk.
4) Flexible template language: Currently it supports a subset of TTerse syntax (https://metacpan.org/pod/Text::Xslate::Syntax::TTerse). Notably MACRO/BLOCK and most of the virtual methods are not implemented yet, but stuff that most simple templates require are already there. Please refer to this wiki page for what syntax is supported: https://github.com/lestrrat/go-xslate/wiki/Supported-Syntax-(TTerse)
ATM the error reporting is pretty much non-existent (I intend to fix it soon-ish), so this is not for the faint of the heart yet. But if you have dabbled with Template-Toolkit and/or Text::Xslate before, this may be of interest to you.
Any feedback, encouragement, pullreqs are much, much, much appreciated.
Regards,
--d
egon
Mar 27, 2014, 11:05:48 AM3/27/14
to golan...@googlegroups.com, dai...@endeworks.jp
On Thursday, March 27, 2014 4:47:26 PM UTC+2, Daisuke Maki wrote:
Hi Gophers!
I'm currently developing Go port of Text::Xslate (http://xslate.org), which is an extremely fast and flexible template engine originally for Perl5. In recent days my Go port has been coming to a point where it's starting to be /almost/ usable -- and I've already pushed it to some small production system, and now with some prodding from my friend, I decided to share it here.
What is the target audience?
If HTML, how is security handled? If it's not handled in any way add a note so that people know to take that into account... (see http://js-quasis-libraries-and-repl.googlecode.com/svn/trunk/safetemplate.html#problem_definition)
The source code can be found on github: https://github.com/lestrrat/go-xslate
Godoc is here: http://godoc.org/github.com/lestrrat/go-xslate
Compare with text/template, it's more appropriate.
Daisuke Maki
Mar 27, 2014, 11:12:33 AM3/27/14
to egon, golan...@googlegroups.com
2014-03-28 0:05 GMT+09:00 egon <egon...@gmail.com>:
On Thursday, March 27, 2014 4:47:26 PM UTC+2, Daisuke Maki wrote:Hi Gophers!
I'm currently developing Go port of Text::Xslate (http://xslate.org), which is an extremely fast and flexible template engine originally for Perl5. In recent days my Go port has been coming to a point where it's starting to be /almost/ usable -- and I've already pushed it to some small production system, and now with some prodding from my friend, I decided to share it here.
What is the target audience?
It's a port of ot Text::Xslate, so... users who wants to use Text::Xslate, mostly web-app type of stuff.
If HTML, how is security handled? If it's not handled in any way add a note so that people know to take that into account... (see http://js-quasis-libraries-and-repl.googlecode.com/svn/trunk/safetemplate.html#problem_definition)
I assume you're talking about escaping HTML and the like? it's automatically html escaped (currently, there's no way to configure it to NOT to do that, but I will eventually get to implement it)
The source code can be found on github: https://github.com/lestrrat/go-xslate
Godoc is here: http://godoc.org/github.com/lestrrat/go-xslate
Compare with text/template, it's more appropriate.
Again, html/template should be fine, as Xslate does auto-html escaping.
--d
--d
egon
Mar 27, 2014, 11:45:58 AM3/27/14
to golan...@googlegroups.com, egon, dai...@endeworks.jp
On Thursday, March 27, 2014 5:12:33 PM UTC+2, Daisuke Maki wrote:
2014-03-28 0:05 GMT+09:00 egon <egon...@gmail.com>:
On Thursday, March 27, 2014 4:47:26 PM UTC+2, Daisuke Maki wrote:Hi Gophers!
I'm currently developing Go port of Text::Xslate (http://xslate.org), which is an extremely fast and flexible template engine originally for Perl5. In recent days my Go port has been coming to a point where it's starting to be /almost/ usable -- and I've already pushed it to some small production system, and now with some prodding from my friend, I decided to share it here.
What is the target audience?
It's a port of ot Text::Xslate, so... users who wants to use Text::Xslate, mostly web-app type of stuff.
If HTML, how is security handled? If it's not handled in any way add a note so that people know to take that into account... (see http://js-quasis-libraries-and-repl.googlecode.com/svn/trunk/safetemplate.html#problem_definition)I assume you're talking about escaping HTML and the like?
Yes.
it's automatically html escaped (currently, there's no way to configure it to NOT to do that, but I will eventually get to implement it)
I'm not quite sure which method of escaping HTML it uses... see http://js-quasis-libraries-and-repl.googlecode.com/svn/trunk/safetemplate.html#alternate_approaches
Did some quick research looking and it looks like it does non-contextual auto-sanitization? Based on http://search.cpan.org/~gfuji/Text-Xslate-3.1.2/lib/Text/Xslate.pm#Smart_escaping_for_HTML_metacharacters description.
See this simple example how html/template sanitization varies depending on the context http://play.golang.org/p/DSAZ1z5w2n
The source code can be found on github: https://github.com/lestrrat/go-xslate
Godoc is here: http://godoc.org/github.com/lestrrat/go-xslate
Compare with text/template, it's more appropriate.Again, html/template should be fine, as Xslate does auto-html escaping.
Not all escaping methods are equal.
--d
Daisuke Maki
Mar 27, 2014, 12:26:22 PM3/27/14
to egon, golan...@googlegroups.com
My apologies. I sent this off-list, so resending.
See this simple example how html/template sanitization varies depending on the context http://play.golang.org/p/DSAZ1z5w2n
Yes, I know Xslate isn't that. But html/template or other context-sensitive sanitizing approach isn't what I want either.
Especially, if it did context-sensitive sanitization, then it wouldn't be a port of Text::Xslate.
I wanted a port of Text::Xslate. We have tons of templates written in this code, and I was thinking there maybe others in my shoe. Hence I wrote:
> But if you have dabbled with Template-Toolkit and/or Text::Xslate before, this may be of interest to you.
Anyway, thank you for your comments!
I'll make sure to note that people who prefer context-sensitive sanitizing shouldn't be using Xslate.
I'll make sure to note that people who prefer context-sensitive sanitizing shouldn't be using Xslate.
egon
Mar 27, 2014, 12:37:09 PM3/27/14
to golan...@googlegroups.com, egon, dai...@endeworks.jp
On Thursday, March 27, 2014 6:26:22 PM UTC+2, Daisuke Maki wrote:
My apologies. I sent this off-list, so resending.
See this simple example how html/template sanitization varies depending on the context http://play.golang.org/p/DSAZ1z5w2nYes, I know Xslate isn't that. But html/template or other context-sensitive sanitizing approach isn't what I want either.
Sure, no problem with that.
Especially, if it did context-sensitive sanitization, then it wouldn't be a port of Text::Xslate.I wanted a port of Text::Xslate. We have tons of templates written in this code, and I was thinking there maybe others in my shoe. Hence I wrote:> But if you have dabbled with Template-Toolkit and/or Text::Xslate before, this may be of interest to you.
Anyway, thank you for your comments!
I'll make sure to note that people who prefer context-sensitive sanitizing shouldn't be using Xslate.
Nah, it was more of a documentation issue... templating packages should always explain how security should be handled with it, otherwise people either may expect it to do more than it does... and hence get into security vulnerabilities. Like information how to use it with script tags, class names, etc... when/how to use mark_raw safely...
... also the comparison wasn't completely fair with html/template. :)
+ egon
Reply all
Reply to author
Forward
0 new messages