Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
The mustache npm package is a template engine that uses tags to replace variables in a template string with actual values. It is often used for generating HTML, configuration files, or any other text-based formats in a clean and maintainable way. Mustache is logic-less because it does not have any explicit control flow statements, like if or loop constructs; instead, it relies on the presence or absence of data to control the flow of the document.
Variable substitution
Substitutes the {{name}} tag with the actual name provided in the data object.
"Hello, {{name}}!"
Section rendering
Renders the section only if the 'logged_in' data property is truthy.
"{{#logged_in}}Welcome, {{user}}!{{/logged_in}}"
Inverted sections
Renders the section only if the 'logged_in' data property is falsy.
"{{^logged_in}}Please log in.{{/logged_in}}"
Comment
Includes a comment in the template that will not be included in the output.
"Today{{! ignore me }} is a sunny day."
Partial views
Includes a partial template named 'user_info' into the current template.
"{{> user_info}}"
Handlebars is an extension of Mustache that adds support for more complex expressions like helpers and block expressions. It is more feature-rich but also more complex.
EJS, or Embedded JavaScript templates, allows for more traditional JavaScript code within templates. It is more flexible but can be less maintainable due to the potential for complex logic in templates.
Formerly known as Jade, Pug is a high-performance template engine heavily influenced by Haml and implemented with JavaScript for Node.js and browsers. It has a different syntax that some may find cleaner and more readable.
What could be more logical awesome than no logic at all?
mustache.js is a zero-dependency implementation of the mustache template system in JavaScript.
Mustache is a logic-less template syntax. It can be used for HTML, config files, source code - anything. It works by expanding tags in a template using values provided in a hash or object.
We call it "logic-less" because there are no if statements, else clauses, or for loops. Instead there are only tags. Some tags are replaced with a value, some nothing, and others a series of values.
For a language-agnostic overview of mustache's template syntax, see the mustache(5)
manpage.
You can use mustache.js to render mustache templates anywhere you can use JavaScript. This includes web browsers, server-side environments such as Node.js, and CouchDB views.
mustache.js ships with support for the CommonJS module API, the Asynchronous Module Definition API (AMD) and ECMAScript modules.
In addition to being a package to be used programmatically, you can use it as a command line tool.
And this will be your templates after you use Mustache:
You can get Mustache via npm.
$ npm install mustache --save
Below is a quick example how to use mustache.js:
var view = {
title: "Joe",
calc: function () {
return 2 + 4;
}
};
var output = Mustache.render("{{title}} spends {{calc}}", view);
In this example, the Mustache.render
function takes two parameters: 1) the mustache template and 2) a view
object that contains the data and code needed to render the template.
A mustache template is a string that contains any number of mustache tags. Tags are indicated by the double mustaches that surround them. {{person}}
is a tag, as is {{#person}}
. In both examples we refer to person
as the tag's key. There are several types of tags available in mustache.js, described below.
There are several techniques that can be used to load templates and hand them to mustache.js, here are two of them:
If you need a template for a dynamic part in a static website, you can consider including the template in the static HTML file to avoid loading templates separately. Here's a small example:
// file: render.js
function renderHello() {
var template = document.getElementById('template').innerHTML;
var rendered = Mustache.render(template, { name: 'Luke' });
document.getElementById('target').innerHTML = rendered;
}
<html>
<body onload="renderHello()">
<div id="target">Loading...</div>
<script id="template" type="x-tmpl-mustache">
Hello {{ name }}!
</script>
<script src="https://unpkg.com/mustache@latest"></script>
<script src="render.js"></script>
</body>
</html>
If your templates reside in individual files, you can load them asynchronously and render them when they arrive. Another example using fetch:
function renderHello() {
fetch('template.mustache')
.then((response) => response.text())
.then((template) => {
var rendered = Mustache.render(template, { name: 'Luke' });
document.getElementById('target').innerHTML = rendered;
});
}
The most basic tag type is a simple variable. A {{name}}
tag renders the value of the name
key in the current context. If there is no such key, nothing is rendered.
All variables are HTML-escaped by default. If you want to render unescaped HTML, use the triple mustache: {{{name}}}
. You can also use &
to unescape a variable.
If you'd like to change HTML-escaping behavior globally (for example, to template non-HTML formats), you can override Mustache's escape function. For example, to disable all escaping: Mustache.escape = function(text) {return text;};
.
If you want {{name}}
not to be interpreted as a mustache tag, but rather to appear exactly as {{name}}
in the output, you must change and then restore the default delimiter. See the Custom Delimiters section for more information.
View:
{
"name": "Chris",
"company": "<b>GitHub</b>"
}
Template:
* {{name}}
* {{age}}
* {{company}}
* {{{company}}}
* {{&company}}
{{=<% %>=}}
* {{company}}
<%={{ }}=%>
Output:
* Chris
*
* <b>GitHub</b>
* <b>GitHub</b>
* <b>GitHub</b>
* {{company}}
JavaScript's dot notation may be used to access keys that are properties of objects in a view.
View:
{
"name": {
"first": "Michael",
"last": "Jackson"
},
"age": "RIP"
}
Template:
* {{name.first}} {{name.last}}
* {{age}}
Output:
* Michael Jackson
* RIP
Sections render blocks of text zero or more times, depending on the value of the key in the current context.
A section begins with a pound and ends with a slash. That is, {{#person}}
begins a person
section, while {{/person}}
ends it. The text between the two tags is referred to as that section's "block".
The behavior of the section is determined by the value of the key.
If the person
key does not exist, or exists and has a value of null
, undefined
, false
, 0
, or NaN
, or is an empty string or an empty list, the block will not be rendered.
View:
{
"person": false
}
Template:
Shown.
{{#person}}
Never shown!
{{/person}}
Output:
Shown.
If the person
key exists and is not null
, undefined
, or false
, and is not an empty list the block will be rendered one or more times.
When the value is a list, the block is rendered once for each item in the list. The context of the block is set to the current item in the list for each iteration. In this way we can loop over collections.
View:
{
"stooges": [
{ "name": "Moe" },
{ "name": "Larry" },
{ "name": "Curly" }
]
}
Template:
{{#stooges}}
<b>{{name}}</b>
{{/stooges}}
Output:
<b>Moe</b>
<b>Larry</b>
<b>Curly</b>
When looping over an array of strings, a .
can be used to refer to the current item in the list.
View:
{
"musketeers": ["Athos", "Aramis", "Porthos", "D'Artagnan"]
}
Template:
{{#musketeers}}
* {{.}}
{{/musketeers}}
Output:
* Athos
* Aramis
* Porthos
* D'Artagnan
If the value of a section variable is a function, it will be called in the context of the current item in the list on each iteration.
View:
{
"beatles": [
{ "firstName": "John", "lastName": "Lennon" },
{ "firstName": "Paul", "lastName": "McCartney" },
{ "firstName": "George", "lastName": "Harrison" },
{ "firstName": "Ringo", "lastName": "Starr" }
],
"name": function () {
return this.firstName + " " + this.lastName;
}
}
Template:
{{#beatles}}
* {{name}}
{{/beatles}}
Output:
* John Lennon
* Paul McCartney
* George Harrison
* Ringo Starr
If the value of a section key is a function, it is called with the section's literal block of text, un-rendered, as its first argument. The second argument is a special rendering function that uses the current view as its view argument. It is called in the context of the current view object.
View:
{
"name": "Tater",
"bold": function () {
return function (text, render) {
return "<b>" + render(text) + "</b>";
}
}
}
Template:
{{#bold}}Hi {{name}}.{{/bold}}
Output:
<b>Hi Tater.</b>
An inverted section opens with {{^section}}
instead of {{#section}}
. The block of an inverted section is rendered only if the value of that section's tag is null
, undefined
, false
, falsy or an empty list.
View:
{
"repos": []
}
Template:
{{#repos}}<b>{{name}}</b>{{/repos}}
{{^repos}}No repos :({{/repos}}
Output:
No repos :(
Comments begin with a bang and are ignored. The following template:
<h1>Today{{! ignore me }}.</h1>
Will render as follows:
<h1>Today.</h1>
Comments may contain newlines.
Partials begin with a greater than sign, like {{> box}}.
Partials are rendered at runtime (as opposed to compile time), so recursive partials are possible. Just avoid infinite loops.
They also inherit the calling context. Whereas in ERB you may have this:
<%= partial :next_more, :start => start, :size => size %>
Mustache requires only this:
{{> next_more}}
Why? Because the next_more.mustache
file will inherit the size
and start
variables from the calling context. In this way you may want to think of partials as includes, imports, template expansion, nested templates, or subtemplates, even though those aren't literally the case here.
For example, this template and partial:
base.mustache:
<h2>Names</h2>
{{#names}}
{{> user}}
{{/names}}
user.mustache:
<strong>{{name}}</strong>
Can be thought of as a single, expanded template:
<h2>Names</h2>
{{#names}}
<strong>{{name}}</strong>
{{/names}}
In mustache.js an object of partials may be passed as the third argument to Mustache.render
. The object should be keyed by the name of the partial, and its value should be the partial text.
Mustache.render(template, view, {
user: userTemplate
});
Custom delimiters can be used in place of {{
and }}
by setting the new values in JavaScript or in templates.
The Mustache.tags
property holds an array consisting of the opening and closing tag values. Set custom values by passing a new array of tags to render()
, which gets honored over the default values, or by overriding the Mustache.tags
property itself:
var customTags = [ '<%', '%>' ];
Mustache.render(template, view, {}, customTags);
Mustache.tags = customTags;
// Subsequent parse() and render() calls will use customTags
Set Delimiter tags start with an equals sign and change the tag delimiters from {{
and }}
to custom strings.
Consider the following contrived example:
* {{ default_tags }}
{{=<% %>=}}
* <% erb_style_tags %>
<%={{ }}=%>
* {{ default_tags_again }}
Here we have a list with three items. The first item uses the default tag style, the second uses ERB style as defined by the Set Delimiter tag, and the third returns to the default style after yet another Set Delimiter declaration.
According to ctemplates, this "is useful for languages like TeX, where double-braces may occur in the text and are awkward to use for markup."
Custom delimiters may not contain whitespace or the equals sign.
By default, when mustache.js first parses a template it keeps the full parsed token tree in a cache. The next time it sees that same template it skips the parsing step and renders the template much more quickly. If you'd like, you can do this ahead of time using mustache.parse
.
Mustache.parse(template);
// Then, sometime later.
Mustache.render(template, view);
mustache.js is shipped with a Node.js based command line tool. It might be installed as a global tool on your computer to render a mustache template of some kind
$ npm install -g mustache
$ mustache dataView.json myTemplate.mustache > output.html
also supports stdin.
$ cat dataView.json | mustache - myTemplate.mustache > output.html
or as a package.json devDependency
in a build process maybe?
$ npm install mustache --save-dev
{
"scripts": {
"build": "mustache dataView.json myTemplate.mustache > public/output.html"
}
}
$ npm run build
The command line tool is basically a wrapper around Mustache.render
so you get all the features.
If your templates use partials you should pass paths to partials using -p
flag:
$ mustache -p path/to/partial1.mustache -p path/to/partial2.mustache dataView.json myTemplate.mustache
mustache.js may be built specifically for several different client libraries, including the following:
These may be built using Rake and one of the following commands:
$ rake jquery
$ rake mootools
$ rake dojo
$ rake yui3
$ rake qooxdoo
Since the source code of this package is written in JavaScript, we follow the TypeScript publishing docs preferred approach by having type definitions available via @types/mustache.
In order to run the tests you'll need to install Node.js.
You also need to install the sub module containing Mustache specifications in the project root.
$ git submodule init
$ git submodule update
Install dependencies.
$ npm install
Then run the tests.
$ npm test
The test suite consists of both unit and integration tests. If a template isn't rendering correctly for you, you can make a test for it by doing the following:
mytest.mustache
in the test/_files
directory. Replace mytest
with the name of your test.mytest.js
in the same directory.
This file should contain a JavaScript object literal enclosed in
parentheses. See any of the other view files for an example.mytest.txt
in the same
directory.Then, you can run the test with:
$ TEST=mytest npm run test-render
Browser tests are not included in npm test
as they run for too long, although they are ran automatically on Travis when merged into master. Run browser tests locally in any browser:
$ npm run test-browser-local
then point your browser to http://localhost:8080/__zuul
An updated list of mustache.js users is kept on the Github wiki. Add yourself or your company if you use mustache.js!
mustache.js is a mature project, but it continues to actively invite maintainers. You can help out a high-profile project that is used in a lot of places on the web. No big commitment required, if all you do is review a single Pull Request, you are a maintainer. And a hero.
mustache.js wouldn't kick ass if it weren't for these fine souls:
FAQs
Logic-less {{mustache}} templates with JavaScript
We found that mustache demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.