Let's remove the unneeded dependency and make it simpler. The example can be rewritten using setTimeout() or something simpler.

Template: hello {{name}}}}
[roughly] current error: Variable names cannot have "}}"
Desired error:

...hello {{name}}}}
               ^
Variable names cannot have "}}"

Maybe our syntax errors can even have an extra property indicating the position that the error happened.

Also support stdin like Mustache: https://github.com/janl/mustache.js/#command-line-tool

https://github.com/typicode/pkg-ok

micro mustache seems perfect but array iterations would be critical

Current behavior

The signature varies. Currently it's very similar to lodash but it doesn't have to be.

Expected behavior

Simpler functions are preferred.
The "get" function that gets the value of a ref string can still be called get()
The part that looks up the value using the path can be called lookup()
An important key here is to use the same options structure and pass it to the path so it won't dig too deep unnecessarily when parsing a path that is going to end up being longer than maxDepth

Tips and tricks

To put in the wiki or in the code

Security

Template compilation and interpolation is a resource consuming task.
The algorithms in most template engines (including regular expression matching) runs in synchronous mode and can block the event loop. Blocking the event loops can lead to:

• Janky UI in the frontend
• Inaccessible server on the backend

Use worker threads if you know that your templates are going to be large or contain too many paths.

Parsing the template can be particularly resource consuming (even for a light library like Micromustache). There are multiple options available to put a limit on how the template is parsed.

Multi-level processing

This one is very important because one of the main use cases (and its original reason for existence) for MicroMustache is internationalization and it's common for i18n templates to require multi-level interpolation. Demo a real use case with the i18n.js example.

Performance

Use paths like a.b.c instead of a['b']['c'] because it is much faster to parse.

If it is possible compile the template once and reuse the results.

due to the risk for DDoS put a limit on how long the var names can be.
A deeply nested very long var name can potentially DDoS the user's code.
Initially the limit can be 1000 characters which using the a.b.c.d... syntax can lead to a maximum depth of 500 lookups.

Current behavior

Hello {{name.a}} {{! throws
Hello {{name.a}} }}! doesn't. Neither does Hello }} {{name.a}}!

Expected behavior

Check the string before adding to the result array.

This video talks about the security risks and introduces DOMPurify.

Mustache.js has this feature but we need to have a comparison and elaborate why we went for an external solution.

https://blog.risingstack.com/writing-a-javascript-framework-sandboxed-code-evaluation/

https://nx-framework.com/

https://github.com/nx-js/compiler-util

Currently the resolver functions runs in the null context (this variable). Add an option (look for similar options in other libs) to set the context when running the resolver. It defaults to null rather than the context of the resolver class.

Current behavior

npm run docs generates the documentation while build:ts builds the TypeScript files and

Expected behavior

Update the script and wherever it is used (travis, documentation, etc.)

There shouldn't be any obligation for the view to be an object. Let it be a class or function as well. This may complicate the call since view and generalValueFn are both optional.

The synchronous render() method can occupy the event loop if the input is huge. We can't do much about it without adding lots of complexity or relying on Workers.
We could add a renderAsync() function that does the rendering work in chunks.
Also have a look at tokenization because that can block the event loop too.

I'd like to be able to use async functions in my custom resolver. How feasible/easy is it to add an async version of the render function?

E.g.,

async customResolver(varName, view) {
  return view[varName] || await lookUpVar(varName);
}
async bar() {
  await micromustache.renderAsync("{{foo}}", {}, customResolver);
}

Changing this behavior will break looking up properties from objects that are instantiated from classes:

class A { get z() { return 2}}
const b = new A
b.z // 2
b.hasOwnProperty('z') // false

Dealing with the __proto__ pollution vulnerability is outside the scope of this lib:

f = { foo: 'f' }
g = {__proto__: f, bar: 'g'}
g.foo // "f"
g.bar // "g"
g.__proto__ = { cux: 'c' }
g.cux // "c"
g.foo // undefined

Prior to v6, you could use ECMAScript Modules with Node and this package.

For some reason, there isn't the export for render in the current build. I am using this package inside a bigger project and this is the only time I've come across an error with a Node package.

The code I am trying to run:

import {render} from 'micromustache';
console.log("Hello, world!");

The result when running with node --es-module-specifier-resolution=node --experimental-modules index.mjs:

import {render} from 'micromustache';
        ^^^^^^
SyntaxError: The requested module 'micromustache' does not provide an export named 'render'
    at ModuleJob._instantiate (internal/modules/esm/module_job.js:91:21)
    at async ModuleJob.run (internal/modules/esm/module_job.js:106:20)
    at async Loader.import (internal/modules/esm/loader.js:132:24)
npm ERR! code ELIFECYCLE
npm ERR! errno 1
npm ERR! [email protected] start: `node --es-module-specifier-resolution=node --experimental-modules index.mjs`
npm ERR! Exit status 1
npm ERR!
npm ERR! Failed at the [email protected] start script.
npm ERR! This is probably not a problem with npm. There is likely additional logging output above.

Sample repro: https://github.com/gda-gp/micromustache-demo

https://github.com/addyosmani/mustache-for-chromeapps

Current behaviour

The renderFn() and renderFnAsync() seem to be mainly underused if I am to trust Github search.
This feature is one of the killer features of micromustache, so let's rethink how to make it more intuitive.

Expected behavior

Add the possibility to process paths before and after they are resolved using get(). This can allow HTML escaping for example. Also see #50

The code (and its usage) will be simpler if we have some steps for resolving and allow hooks to be implemented to modify the default behaviour:

1. before the path is parsed
2. after the path has turned into a ref but before that ref is resolved from the scope
3. after the value is resolved from the scope and before it is being interpolated

At each step, a hook can modify its input, throw, or cancel the rest of the chain

Also it should be possible to disable a step (say get() for example)

That way we can have only two methods: render() and renderAsync() and the hooks can be passed as options.

http://jmespath.org/

Current behavior

Have a template like {{person.name}} and give maxVarNameLength=11 as an option.
It'll throw saying "SyntaxError: The variable name is longer than expected. Max: 11, Got: 11"

Expected behavior

It shouldn't be an error.
Also the correct error type for this kind of error is RangeError not SyntaxError.

Current behavior

There aren't many, but they are scattered. And one is duplicated.

Expected behavior

Make a new config file and freeze the config object to make it immutable.

https://github.com/userpixel/micromustache#example

var person = {
  first: 'Michael',
  last: 'Jackson'
};
micromustache.render('Search for {{first}} {{ last }} songs!', person);
// output = "Search Michael Jackson popcorn!"

Doesn't output = "Search for Michael Jackson songs!" ?

Current behavior

Template: {{ndd}}
options.tags: ['{', '}}']
options.maxVarNameLength: 4
Error: SyntaxError: The variable name is longer than expected. Max: 4, Got: 4

Technically what's happenning is that due to a different open tag, we are seeing {ndd as a variable name. But the error doesn't give a clear picture of what's going on.

Expected behavior

Let's improve the DX and show the variable name in the error as well.

Current behavior

The following variables are invalid javascript paths but the tokenizer lets them through (even with { validateVarNames: true }):

• {{name[a].}} is a valid path
• {{name,}}
• {{name;}}

(they are considered prop names like xxx['name,'])

Expected behavior

Go with POLA.

This issue is an ongoing work and will be completed as I find time to investigate more

This activity assesses the risks of identified threats and deviations in system behavior.

Vulnerabilities

The weaknesses that may be exploited by a threat to create loss.

1. Low performance (eg. hurting response time when used in server code or time to first meaningful paint when used browser side)
2. Out of memory error
3. Crash the application
4. Run unwanted code (if the adversary finds a way to hack/modify the render functions)
5. Access information from outside the scope
6. Change/override the behavior of the lib to affect the rest of the user code.

Threats

1. Malicious templates (including variable names)
2. Malicious resolver functions (developer or third party software)
3. Malicious options that may lead to vulnerability (developer)

Attack vectors

1. The template
2. The scope object
3. The variable values (when using resolve() or get())
4. The resolveFn() and resolveFnAsync() functions

Current behavior

This line:

${propName} is not defined in the scope (${String(scope)}) at path: "${propNamesAsStr()}"}

Expected behavior

This error should not end in }
Also, since scope is an object most of the times, there's no point just printing it.

https://github.com/addyosmani/mustache-for-chromeapps

it's a build of mustache for CSP environments.

Hey @userpixel,

Kudos for making an awesome library while focusing on security! I really appreciate it! 🏆

Are you considering implementing the ability to apply custom functions to just specific elements from the scope? eg.

Apply truncate function to just 1st and 3rd element and not the 2nd one?

const template = "My name is {{ truncate name }}, I am {{ age }} old. I come from {{ truncate country }}.

Also, are you considering adding support for custom arguments to be passed to function? eg. in the mentioned case {{ truncate name 3 }}, so 3 could be passed to the function definition?

Thanks ❤️ and keep up the awesome work!

Current behavior

Too many "render" functions. It's a bit confusing to have a class named "Renderer" as well.

Expected behavior

In compiler lingo, the task of this class is done in "generation" step. So let's call it Generator.

Current behavior

{{!varName}} leads to syntax error.

Expected behavior

Support comments per mustache spec.

ref

With lots of real world use cases and make sure that the API supports an intuitive and easy solution for them.
The examples should somehow run in the standard unit tests as well.

You can use the renderFn() to validate varNames and then render() to do the quick render.
also you can set that flag upon compilation that validates the names (or set it to false to let you do it)

Current behavior

After converting tests from Mocha to Jest, this awesome feature of Jest is underused.

Expected behavior

The code looks better with this easy refactoring.

Current behavior

If the value is an object or array, [object Object] will be put into the template. This might not be very helpful for debugging (and sometimes this is exactly what you would want, which forces you to write a transformation).

Expected behavior

Add an option like stringifyObjectValues or equivalent in the stringify options and let it put a nicer presentation of objects in the output.

Out of scope

One may want to give special treatment to arrays or set the indentation as well but I'm not aware of any strong use case so let's not add that now.

or at least specify how to make such a middleware so that the community can contribute.

Current behavior

Doesn't look super good on mobile browsers

Expected behavior

Use some responsible design to make it more usable on the phone

Current behavior

We count the lines of code from src which is a bit misleading because that's not exactly what is distributed and matters.

Expected behavior

Count the lines of the dist folder. As a bonus 360+ SLOC of TS leads to 230~ SLOC of ES6!

"sloc": "npm run build:ts && sloc dist -e .*spec.* -k source --format cli-table",

Current behavior

We test the happy scenario where the path exists in the scope and contains a value

Expected behavior

Test how long it takes when the path refers to non-existing values

Current behavior

The two perf scripts are similar but don't share code.

Expected behavior

Put the common code in a file and let the two scripts be:

• against mustachejs
• render vs compile

this variable to the Resolver the way they are run. This allows modifying it using a user provided resolver function.

Current behavior

We have added a bunch of security-related boundries and checks but they are not super obvious although they are the main reason this library should be used (which also has had performance costs, so they are important)

Expected behavior

List all the security features in one section in the main readme. Give it focus and dominance.

Current behavior

So far it's decided that v9 is going to have two functions for getting (one for Ref and one for Path).

Expected behavior

Let's call them pathGet and refGet and have the path or ref as their first argument. It's good to have their signature like the render* functions.

Current behavior

We have a bit of redundancy there.

Expected behavior

Now that a full featured JTY lib is created, let's keep the utils to bare minimum to have smaller and faster code.