Node.js Express.js | 从视图/静态文件夹自动渲染车把模板
[英]Node.js Express.js | Automatically render handelbar templates from views/static folder
问题描述
I have got the following code to automatically load my handelbar templates from the views/static folder without having to manually setup a route for each page. 
我有以下代码可以自动从views / static文件夹中加载我的handelbar模板,而不必手动为每个页面设置路线。
app.get("/:template", function(req,res){
var template = req.params.template; // Is this safe?
res.render("static/" + template, function(err, html) {
if (err) {
res.send(404, 'Sorry cant find that!');
} else {
res.send(html);
}
});
});
It works fine, however I am worried that this potentially exposes my app to security problems. 它工作正常,但是我担心这可能会使我的应用面临安全问题。 Any suggestions how I could do this better. 任何建议,我如何可以做得更好。 I am using Express. 我正在使用Express。 Thanks so much for your help. 非常感谢你的帮助。
1 个解决方案
解决方案1
1 已采纳 2013-12-28 09:30:40
I think it's pretty safe. 我认为这很安全。
Usually, you have to worry about paths being passed that contain stuff like ../ (to go back a directory level), but those won't match your route. 通常,您必须担心所传递的路径包含../ (以返回目录级别),但这些路径与您的路由不匹配。 Also, the route you declare will stop matching at a / , so requests like /foo/../bar won't match either. 另外,您声明的路由将在/处停止匹配,因此/foo/../bar请求也将不匹配。
An issue that may occur is when the static directory contains files that you don't want to expose: a request for /secret.js will at least try to render a file called static/secret.js . 当static目录包含您不想公开的文件时, 可能会发生一个问题:对/secret.js的请求至少会尝试呈现一个称为static/secret.js的文件。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.