[英]Node.js Express.js | Automatically render handelbar templates from views/static folder
I have got the following code to automatically load my handelbar templates from the views/static folder without having to manually setup a route for each page. 我有以下代码可以自动从views / static文件夹中加载我的handelbar模板,而不必手动为每个页面设置路线。
app.get("/:template", function(req,res){
var template = req.params.template; // Is this safe?
res.render("static/" + template, function(err, html) {
if (err) {
res.send(404, 'Sorry cant find that!');
} else {
res.send(html);
}
});
});
It works fine, however I am worried that this potentially exposes my app to security problems. 它工作正常,但是我担心这可能会使我的应用面临安全问题。 Any suggestions how I could do this better.
任何建议,我如何可以做得更好。 I am using Express.
我正在使用Express。 Thanks so much for your help.
非常感谢你的帮助。
I think it's pretty safe. 我认为这很安全。
Usually, you have to worry about paths being passed that contain stuff like ../
(to go back a directory level), but those won't match your route. 通常,您必须担心所传递的路径包含
../
(以返回目录级别),但这些路径与您的路由不匹配。 Also, the route you declare will stop matching at a /
, so requests like /foo/../bar
won't match either. 另外,您声明的路由将在
/
处停止匹配,因此/foo/../bar
请求也将不匹配。
An issue that may occur is when the static
directory contains files that you don't want to expose: a request for /secret.js
will at least try to render a file called static/secret.js
. 当
static
目录包含您不想公开的文件时, 可能会发生一个问题:对/secret.js
的请求至少会尝试呈现一个称为static/secret.js
的文件。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.