Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
The mustache npm package is a template engine that uses tags to replace variables in a template string with actual values. It is often used for generating HTML, configuration files, or any other text-based formats in a clean and maintainable way. Mustache is logic-less because it does not have any explicit control flow statements, like if or loop constructs; instead, it relies on the presence or absence of data to control the flow of the document.
Variable substitution
Substitutes the {{name}} tag with the actual name provided in the data object.
"Hello, {{name}}!"
Section rendering
Renders the section only if the 'logged_in' data property is truthy.
"{{#logged_in}}Welcome, {{user}}!{{/logged_in}}"
Inverted sections
Renders the section only if the 'logged_in' data property is falsy.
"{{^logged_in}}Please log in.{{/logged_in}}"
Comment
Includes a comment in the template that will not be included in the output.
"Today{{! ignore me }} is a sunny day."
Partial views
Includes a partial template named 'user_info' into the current template.
"{{> user_info}}"
Handlebars is an extension of Mustache that adds support for more complex expressions like helpers and block expressions. It is more feature-rich but also more complex.
EJS, or Embedded JavaScript templates, allows for more traditional JavaScript code within templates. It is more flexible but can be less maintainable due to the potential for complex logic in templates.
Formerly known as Jade, Pug is a high-performance template engine heavily influenced by Haml and implemented with JavaScript for Node.js and browsers. It has a different syntax that some may find cleaner and more readable.
What could be more logical awesome than no logic at all?
mustache.js is an implementation of the mustache template system in JavaScript.
Mustache is a logic-less template syntax. It can be used for HTML, config files, source code - anything. It works by expanding tags in a template using values provided in a hash or object.
We call it "logic-less" because there are no if statements, else clauses, or for loops. Instead there are only tags. Some tags are replaced with a value, some nothing, and others a series of values.
For a language-agnostic overview of mustache's template syntax, see the mustache(5)
manpage.
You can use mustache.js to render mustache templates anywhere you can use JavaScript. This includes web browsers, server-side environments such as node, and CouchDB views.
mustache.js ships with support for both the CommonJS module API and the Asynchronous Module Definition API, or AMD.
An updated list of mustache.js users is kept on the Github wiki. Add yourself or your company if you use mustache.js!
Below is quick example how to use mustache.js:
var view = {
title: "Joe",
calc: function () {
return 2 + 4;
}
};
var output = Mustache.render("{{title}} spends {{calc}}", view);
In this example, the Mustache.render
function takes two parameters: 1) the mustache template and 2) a view
object that contains the data and code needed to render the template.
A mustache template is a string that contains any number of mustache tags. Tags are indicated by the double mustaches that surround them. {{person}}
is a tag, as is {{#person}}
. In both examples we refer to person
as the tag's key.
There are several types of tags available in mustache.js.
The most basic tag type is a simple variable. A {{name}}
tag renders the value of the name
key in the current context. If there is no such key, nothing is rendered.
All variables are HTML-escaped by default. If you want to render unescaped HTML, use the triple mustache: {{{name}}}
. You can also use &
to unescape a variable.
View:
{
"name": "Chris",
"company": "<b>GitHub</b>"
}
Template:
* {{name}}
* {{age}}
* {{company}}
* {{{company}}}
* {{&company}}
Output:
* Chris
*
* <b>GitHub</b>
* <b>GitHub</b>
* <b>GitHub</b>
JavaScript's dot notation may be used to access keys that are properties of objects in a view.
View:
{
"name": {
"first": "Michael",
"last": "Jackson"
},
"age": "RIP"
}
Template:
* {{name.first}} {{name.last}}
* {{age}}
Output:
* Michael Jackson
* RIP
Sections render blocks of text one or more times, depending on the value of the key in the current context.
A section begins with a pound and ends with a slash. That is, {{#person}}
begins a person
section, while {{/person}}
ends it. The text between the two tags is referred to as that section's "block".
The behavior of the section is determined by the value of the key.
If the person
key does not exist, or exists and has a value of null
, undefined
, false
, 0
, or NaN
, or is an empty string or an empty list, the block will not be rendered.
View:
{
"person": false
}
Template:
Shown.
{{#person}}
Never shown!
{{/person}}
Output:
Shown.
If the person
key exists and is not null
, undefined
, or false
, and is not an empty list the block will be rendered one or more times.
When the value is a list, the block is rendered once for each item in the list. The context of the block is set to the current item in the list for each iteration. In this way we can loop over collections.
View:
{
"stooges": [
{ "name": "Moe" },
{ "name": "Larry" },
{ "name": "Curly" }
]
}
Template:
{{#stooges}}
<b>{{name}}</b>
{{/stooges}}
Output:
<b>Moe</b>
<b>Larry</b>
<b>Curly</b>
When looping over an array of strings, a .
can be used to refer to the current item in the list.
View:
{
"musketeers": ["Athos", "Aramis", "Porthos", "D'Artagnan"]
}
Template:
{{#musketeers}}
* {{.}}
{{/musketeers}}
Output:
* Athos
* Aramis
* Porthos
* D'Artagnan
If the value of a section variable is a function, it will be called in the context of the current item in the list on each iteration.
View:
{
"beatles": [
{ "firstName": "John", "lastName": "Lennon" },
{ "firstName": "Paul", "lastName": "McCartney" },
{ "firstName": "George", "lastName": "Harrison" },
{ "firstName": "Ringo", "lastName": "Starr" }
],
"name": function () {
return this.firstName + " " + this.lastName;
}
}
Template:
{{#beatles}}
* {{name}}
{{/beatles}}
Output:
* John Lennon
* Paul McCartney
* George Harrison
* Ringo Starr
If the value of a section key is a function, it is called with the section's literal block of text, un-rendered, as its first argument. The second argument is a special rendering function that uses the current view as its view argument. It is called in the context of the current view object.
View:
{
"name": "Tater",
"bold": function () {
return function (text, render) {
return "<b>" + render(text) + "</b>";
}
}
}
Template:
{{#bold}}Hi {{name}}.{{/bold}}
Output:
<b>Hi Tater.</b>
An inverted section opens with {{^section}}
instead of {{#section}}
. The block of an inverted section is rendered only if the value of that section's tag is null
, undefined
, false
, or an empty list.
View:
{
"repos": []
}
Template:
{{#repos}}<b>{{name}}</b>{{/repos}}
{{^repos}}No repos :({{/repos}}
Output:
No repos :(
Comments begin with a bang and are ignored. The following template:
<h1>Today{{! ignore me }}.</h1>
Will render as follows:
<h1>Today.</h1>
Comments may contain newlines.
Partials begin with a greater than sign, like {{> box}}.
Partials are rendered at runtime (as opposed to compile time), so recursive partials are possible. Just avoid infinite loops.
They also inherit the calling context. Whereas in ERB you may have this:
<%= partial :next_more, :start => start, :size => size %>
Mustache requires only this:
{{> next_more}}
Why? Because the next_more.mustache
file will inherit the size
and start
variables from the calling context. In this way you may want to think of partials as includes, or template expansion, even though it's not literally true.
For example, this template and partial:
base.mustache:
<h2>Names</h2>
{{#names}}
{{> user}}
{{/names}}
user.mustache:
<strong>{{name}}</strong>
Can be thought of as a single, expanded template:
<h2>Names</h2>
{{#names}}
<strong>{{name}}</strong>
{{/names}}
In mustache.js an object of partials may be passed as the third argument to Mustache.render
. The object should be keyed by the name of the partial, and its value should be the partial text.
Mustache.render(template, view, {
user: userTemplate
});
Set Delimiter tags start with an equals sign and change the tag delimiters from {{
and }}
to custom strings.
Consider the following contrived example:
* {{ default_tags }}
{{=<% %>=}}
* <% erb_style_tags %>
<%={{ }}=%>
* {{ default_tags_again }}
Here we have a list with three items. The first item uses the default tag style, the second uses ERB style as defined by the Set Delimiter tag, and the third returns to the default style after yet another Set Delimiter declaration.
According to ctemplates, this "is useful for languages like TeX, where double-braces may occur in the text and are awkward to use for markup."
Custom delimiters may not contain whitespace or the equals sign.
By default, when mustache.js first parses a template it keeps the full parsed token tree in a cache. The next time it sees that same template it skips the parsing step and renders the template much more quickly. If you'd like, you can do this ahead of time using mustache.parse
.
Mustache.parse(template);
// Then, sometime later.
Mustache.render(template, view);
mustache.js may be built specifically for several different client libraries, including the following:
These may be built using Rake and one of the following commands:
$ rake jquery
$ rake mootools
$ rake dojo
$ rake yui3
$ rake qooxdoo
The mustache.js test suite uses the mocha testing framework. In order to run the tests you'll need to install node. Once that's done you can install mocha using npm.
$ npm install -g mocha
You also need to install the sub module containing Mustache specifications in the project root.
$ git submodule init
$ git submodule update
Then run the tests.
$ mocha test
The test suite consists of both unit and integration tests. If a template isn't rendering correctly for you, you can make a test for it by doing the following:
mytest.mustache
in the test/_files
directory. Replace mytest
with the name of your test.mytest.js
in the same directory.
This file should contain a JavaScript object literal enclosed in
parentheses. See any of the other view files for an example.mytest.txt
in the same
directory.Then, you can run the test with:
$ TEST=mytest mocha test/render-test.js
mustache.js wouldn't kick ass if it weren't for these fine souls:
[0.8.2] / 17 Mar 2014
FAQs
Logic-less {{mustache}} templates with JavaScript
The npm package mustache receives a total of 3,759,731 weekly downloads. As such, mustache popularity was classified as popular.
We found that mustache demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.