[英]Javascript Template Engines that work with Chrome's Content Security Policy
The Chrome API's Manifest version 2 has removed the ability to do unsafe-eval. Chrome API的清单版本2已删除了执行不安全评估的功能。 This means using the eval function or in general dynamically creating a function from text.
这意味着使用eval函数或通常从文本动态创建函数。
It seems like most if not all Javascript Templating Engines do this. 似乎大多数(如果不是所有Javascript模板引擎)都这样做。 I was using Jaml, but I tried several others like backbone.js (which really uses underscore.js's templating engine) with no luck.
我正在使用Jaml,但我尝试了其他几个像backbone.js(它真正使用了underscore.js的模板引擎)而没有运气。
This comment on the Chromium project seems to indicate that there are a great many libraries that suffer from this. 这篇关于Chromium项目的评论似乎表明,有很多图书馆都受此影响。
I think Angular.js has a CSP-safe mode, but Angular.js is really too big for what we need. 我认为Angular.js具有CSP安全模式,但Angular.js对于我们需要的东西来说实在太大了。 We just need a fairly basic templating engine and don't need models or controllers and such.
我们只需要一个相当基本的模板引擎,不需要模型或控制器等。 Does anyone know about any CSP-compatbility templating engines out there?
有谁知道任何CSP兼容性模板引擎吗?
The best solution to this problem is to pre-compile your templates before you deploy your extension. 解决此问题的最佳方法是在部署扩展程序之前预先编译模板。 Both handlebarsjs and eco offer pre-compilation as a feature.
handlebarsjs和eco都提供预编译作为功能。 I actually wrote a blog post that goes into more depth.
我实际上写了一篇更深入的博客文章 。
You should absolutely use precompilation as recommended by Mathew for medium and big templates. 对于中型和大型模板,您绝对应该按照Mathew的建议使用预编译。 For extremely small templates we are using this:
对于极小的模板,我们使用这个:
var template = function(message, data) {
if (typeof data === 'undefined') {
return _.partial(template, message);
} else {
return message.replace(/\{\{([^}]+)}}/g, function(s, match) {
var result = data;
_.each(match.trim().split('.'), function(propertyName) {
result = result[propertyName]
});
return _.escape(result);
});
}
};
var data = {
foo: 'Hello',
bar: { baz: 'world!' }
};
// print on-the-fly
template('{{foo}}, {{bar.baz}}' args); // -> 'Hello, world!'
// prepare template to invoke later
var pt = template('{{foo}}, {{bar.baz}}');
pt(args); // -> 'Hello, world!'
This implementation does not use eval, but it will require underscore. 此实现不使用eval,但它需要下划线。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.