I’m writing an application in Elixir where users should be able to create templates (which later get rendered into HTML and then into PDF).
I’m currently working with EEx, however there’s two problems to tackle:
- code execution (this one I know how to handle, since EEx can compile to a quoted expression which I can walk to detect unauthorized calls)
- atom generation
The second one is more problematic, EEx generates atoms for the variables used in the template, and we all know that having users create atoms is a BAD idea.
I had submitted a PR (which will appear in 1.13) to allow me passing in a method that is called when creating atoms and instead output strings, however turns out that in the tokenization step EEx generates am atom and then returns it as a string (but the atom is created nonetheless).
The only way to avoid this would be passing in a parser_options to the tokenizer call which I think isn’t even public API (:elixir_tokenizer) so I’m guessing a PR to add options to that will be rejected (José if you’re reading this and I’m wrong let me know!).
Long story short, anyone have experience in this, suggestions or ideas? I’d want to have user supplied templates, at runtime to generate HTML.
EEx is currently problematic due to atoms being created while compiling.
EDIT: I’m currently on mobile but when I’m home I’ll link the exact code that causes problems along with some tests and examples
EDIT 2: The exact line that’s generating atoms is elixir/tokenizer.ex at master · elixir-lang/elixir · GitHub if I could pass in a
static_atoms_encoder option (see Code — Elixir v1.12.2) I could use EEx templates without it generating any atoms at all (I verified this with a locally modified EEx library).