Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Concise and fast javascript templating compatible with nodejs and other javascript environments
The 'dot' npm package is a fast and lightweight template engine in JavaScript. It allows you to create dynamic HTML templates with embedded JavaScript logic. It is known for its simplicity and performance, making it suitable for both client-side and server-side rendering.
Basic Template Rendering
This feature allows you to create a basic template and render it with dynamic data. The template string contains placeholders that are replaced with actual data when the template is rendered.
const doT = require('dot');
const template = doT.template('Hello, {{=it.name}}!');
const result = template({ name: 'World' });
console.log(result); // Output: Hello, World!
Conditional Rendering
This feature allows you to include conditional logic within your templates. The template string can contain conditional statements that control whether certain parts of the template are rendered.
const doT = require('dot');
const template = doT.template('{{? it.show }}Hello, {{=it.name}}!{{?}}');
const result = template({ show: true, name: 'World' });
console.log(result); // Output: Hello, World!
Looping
This feature allows you to loop over arrays within your templates. The template string can contain loop statements that iterate over arrays and render each item.
const doT = require('dot');
const template = doT.template('{{~it.items :item:index}}<li>{{=item}}</li>{{~}}');
const result = template({ items: ['Item 1', 'Item 2', 'Item 3'] });
console.log(result); // Output: <li>Item 1</li><li>Item 2</li><li>Item 3</li>
EJS (Embedded JavaScript) is a simple templating language that lets you generate HTML markup with plain JavaScript. It is similar to 'dot' in that it allows embedding JavaScript logic within templates, but EJS is more feature-rich and widely used.
Handlebars is a popular templating engine that provides a cleaner syntax for templates and includes features like partials and helpers. It is more powerful and flexible compared to 'dot', but also more complex.
Mustache is a logic-less templating engine that enforces a strict separation of logic and presentation. It is simpler and more restrictive compared to 'dot', making it easier to maintain but less flexible.
Created in search of the fastest and concise JavaScript templating function with emphasis on performance under V8 and nodejs. It shows great performance for both nodejs and browsers.
doT.js is fast, small and has no dependencies.
doT is a really solid piece of software engineering (I didn’t create it) that is rarely updated exactly for this reason.
It took me years to grasp how it works even though it’s only 140 lines of code - it looks like magic.
I used it in my other projects (e.g. ajv) as the smallest, the fastest and the most functional (all three!) templating engine ever made, that is particularly useful in all code generation scenarios where manipulating AST is an overkill.
It’s a race car of templating engines - doT lacks bells and whistles that other templating engines have, but it allows to achive more than any other, if you use it right (YMMV).
custom delimiters
runtime evaluation
runtime interpolation
compile-time evaluation
partials support
conditionals support
array iterators
encoding
control whitespace - strip or preserve
streaming friendly
use it as logic-less or with logic, it is up to you
http://olado.github.com/doT (todo: update docs with new features added in version 1.0.0)
{{##def.macro:param:
<div>{{=param.foo}}</div>
#}}
{{#def.macro:myvariable}}
var dots = require("dot").process({ path: "./views"});
This will compile .def, .dot, .jst files found under the specified path. Details
Basic usage:
var dots = require("dot").process({path: "./views"});
dots.mytemplate({foo:"hello world"});
The above snippet will: * Compile all templates in views folder (.dot, .def, .jst) * Place .js files compiled from .jst templates into the same folder These files can be used with require, i.e. require("./views/mytemplate") * Return an object with functions compiled from .dot templates as its properties * Render mytemplate template
./bin/dot-packer -s examples/views -d out/views
Many people are using doT with express. I added an example of the best way of doing it examples/express:
doU.js is here only so that legacy external tests do not break. Use doT.js.
doT.js with doT.templateSettings.append=false provides the same performance as doU.js.
doT allows arbitrary JavaScript code in templates, making it one of the most flexible and powerful templating engines. It means that doT security model assumes that you only use trusted templates and you don't use any user input as any part of the template, as otherwise it can lead to code injection.
It is strongly recommended to compile all templates to JS code as early as possible. Possible options:
Please report any found vulnerabilities to npm, not via issue tracker.
Laura Doktorova @olado
doT is licensed under the MIT License. (See LICENSE-DOT)
Thank you @KevinKirchner for the logo.
FAQs
Concise and fast javascript templating compatible with nodejs and other javascript environments
The npm package dot receives a total of 297,419 weekly downloads. As such, dot popularity was classified as popular.
We found that dot demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.