1. 2

I know all the advice on the internets says that you shouldn’t develop yet another web templating language, but I haven’t found anything that matches my requirements as the author of an (open source) scriptable web app which provides plugins with a web app framework.

I have a particular thing about security, so my primary goal is to create a language in which it’s hard or impossible to make any of the common security mistakes, such as XSS. Or rather, make the easy way of doing things the secure way of doing things.

I’ve written a prototype, and would be very grateful for any thoughts on where I’m going. There are some unanswered questions, particularly around how URLs are generated with all their peculiar requirements.

Longer description in the repo README.

Thank you!


  2. 2

    Haven’t cloned / run it yet because my PC is busy on other tasks, but I have a question: does this parse and validate the HTML as well as your DSL?

    Because otherwise your statements about not being able to generate invalid HTML are false.

    1. 3

      Yes. The HTML elements are considered part of the language itself, so are validated as part of the parsing step. Nothing in the language is blindly copied to the output, except for literal strings. (and I have just added “check literal strings for the user sneaking in HTML” to my TODO list)

      The aim is to be very strict on everything that affects security, and fairly relaxed on everything else. So, your HTML elements have to be well formed, but whether you have matching close elements is your business. Although I’ll probably catch that in an optional linter.

      I’m probably also going prevent inline JavaScript in the templates, both by preventing onX attributes and

      I look forward to seeing what you think when you get a moment. Thanks!