template.js 3.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103
  1. var defaults = require('./defaults.js');
  2. var underscore = require('./underscore.js');
  3. require('./templateSettings.js');
  4. // When customizing `_.templateSettings`, if you don't want to define an
  5. // interpolation, evaluation or escaping regex, we need one that is
  6. // guaranteed not to match.
  7. var noMatch = /(.)^/;
  8. // Certain characters need to be escaped so that they can be put into a
  9. // string literal.
  10. var escapes = {
  11. "'": "'",
  12. '\\': '\\',
  13. '\r': 'r',
  14. '\n': 'n',
  15. '\u2028': 'u2028',
  16. '\u2029': 'u2029'
  17. };
  18. var escapeRegExp = /\\|'|\r|\n|\u2028|\u2029/g;
  19. function escapeChar(match) {
  20. return '\\' + escapes[match];
  21. }
  22. // In order to prevent third-party code injection through
  23. // `_.templateSettings.variable`, we test it against the following regular
  24. // expression. It is intentionally a bit more liberal than just matching valid
  25. // identifiers, but still prevents possible loopholes through defaults or
  26. // destructuring assignment.
  27. var bareIdentifier = /^\s*(\w|\$)+\s*$/;
  28. // JavaScript micro-templating, similar to John Resig's implementation.
  29. // Underscore templating handles arbitrary delimiters, preserves whitespace,
  30. // and correctly escapes quotes within interpolated code.
  31. // NB: `oldSettings` only exists for backwards compatibility.
  32. function template(text, settings, oldSettings) {
  33. if (!settings && oldSettings) settings = oldSettings;
  34. settings = defaults({}, settings, underscore.templateSettings);
  35. // Combine delimiters into one regular expression via alternation.
  36. var matcher = RegExp([
  37. (settings.escape || noMatch).source,
  38. (settings.interpolate || noMatch).source,
  39. (settings.evaluate || noMatch).source
  40. ].join('|') + '|$', 'g');
  41. // Compile the template source, escaping string literals appropriately.
  42. var index = 0;
  43. var source = "__p+='";
  44. text.replace(matcher, function(match, escape, interpolate, evaluate, offset) {
  45. source += text.slice(index, offset).replace(escapeRegExp, escapeChar);
  46. index = offset + match.length;
  47. if (escape) {
  48. source += "'+\n((__t=(" + escape + "))==null?'':_.escape(__t))+\n'";
  49. } else if (interpolate) {
  50. source += "'+\n((__t=(" + interpolate + "))==null?'':__t)+\n'";
  51. } else if (evaluate) {
  52. source += "';\n" + evaluate + "\n__p+='";
  53. }
  54. // Adobe VMs need the match returned to produce the correct offset.
  55. return match;
  56. });
  57. source += "';\n";
  58. var argument = settings.variable;
  59. if (argument) {
  60. // Insure against third-party code injection. (CVE-2021-23358)
  61. if (!bareIdentifier.test(argument)) throw new Error(
  62. 'variable is not a bare identifier: ' + argument
  63. );
  64. } else {
  65. // If a variable is not specified, place data values in local scope.
  66. source = 'with(obj||{}){\n' + source + '}\n';
  67. argument = 'obj';
  68. }
  69. source = "var __t,__p='',__j=Array.prototype.join," +
  70. "print=function(){__p+=__j.call(arguments,'');};\n" +
  71. source + 'return __p;\n';
  72. var render;
  73. try {
  74. render = new Function(argument, '_', source);
  75. } catch (e) {
  76. e.source = source;
  77. throw e;
  78. }
  79. var template = function(data) {
  80. return render.call(this, data, underscore);
  81. };
  82. // Provide the compiled source as a convenience for precompilation.
  83. template.source = 'function(' + argument + '){\n' + source + '}';
  84. return template;
  85. }
  86. module.exports = template;