?Hanjst improved +enSafeExpression safe expression etc.

Posted May 22, 20206 min read

Hanjst's template language and template engine have been continuously improved and upgraded recently.
This improvement is mainly to increase the compatibility of safe output expressions. Because it involves the balance and trade-off between the efficiency of software development and the efficiency of software operation, I wrote a few more sentences to describe the trade-offs between the pros and cons and the thinking process. From the last update: ?Hanjst Hanjist upgrade:+showImageAsync and performance improvement, etc. ( https://ufqi.com/blog /hanjst-...]( https://ufqi.com/blog/hanjst-showimage-dotpos/ )), time is not too long, I hope Hanjst will mature and stabilize as soon as possible.

1. Questions and background

When the Hanjst template language parsing engine was written, the strict mode of JavaScript was enabled([ https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Strict\_mode] ( https://developer . mozilla.org/en-US/docs/Web/JavaScript/Reference/Strict_mode)), perform strict grammar checks on program statements, so if writing is not strict, exception warnings will occasionally be thrown. The reason for this requirement, using JavaScript for strict mode, is to hope that Hanjst can be used in some key areas and demanding positions to eliminate abnormal errors in the programming stage.

Let the exception happen at "compilation time", and then be resolved, which belongs to the programming language aspect of the compilation type. This is a good thing, because Hanjst is not only used in ordinary information websites, but also used in e-commerce, finance and other fields. It is a necessary step to perform harsh grammar checks on it.

However, this has its drawbacks, that is, it takes more time to develop, it needs to consider various situations, and repeatedly test the software behavior in various scenarios, and it will unintentionally increase the development cost. For example, common strict mode errors:undefined variables and access objects are undefined. The error report has a more user-friendly display output in Hanjst, reference:[ Hanjst+ update upgrade:error reporting, innerLoop and loadingLayer]( https://ufqi.com/blog/hanjst-error-reporting-innerloop- and-loadinglayer/), https://ufqi.com/blog/hanjst-... .

If the docking system is in a non-critical field and a demanding position, can you do some active compatibility for this variable that appears repeatedly and undefined or access undefined objects? This time it is to examine this issue.

2. Solution ideas and methods

There are roughly two ways to investigate this problem:1) When the template is compiled, remove the strict mode of JavaScript, so that it is no longer strictly checked, so as to avoid similar undefined variables and access to undefined objects; 2) The second idea Under the premise of keeping the strict mode pair, do some local fine-tuning to make it compatible with these low-level errors, and also keep strict checks on other syntax pairs.

It is obviously not possible to remove Strict mode in a large direction, which will essentially shake Hanjst's position in key areas and demanding positions. This point should not be discussed. Enabling strict mode and performing grammar checks at compile time are necessary for serious software.

In JavaScript, it is easy to detect whether a variable is defined. Using a typeof-like instruction can determine whether a variable is defined. If such a check is performed on each variable before output, it obviously falls into the irrational state of "one is sick, the whole country takes medicine ?", which is one of the reasons why previous attempts were blocked.
Therefore, if you want to enable the detection of variables, you need some mechanism to perceive the variables that have been defined.

In addition, if you do not use JavaScript eval and other high-risk pair functions, how to perceive whether a pair of variables represented by a string is defined? Use the built-in object Function to build anonymous functions? If the anonymous function has a separate variable scope and the actual operating environment of the variable is significantly different, how to operate?

Third, in the template language, we allow access to the properties of objects. Such objects may be global variables of the runtime environment or local variables; such objects may be either a one-dimensional Hash data list, or may also be Multiple bits of Hash are nested. There may be data objects in the first dimension that have been defined, while the second and third dimensions are undefined. At this time, if it is undefined, it may throw an exception.

When the problem spreads further:

1) Continue to enable Strict mode,
2) In the case of 1), to achieve access compatibility for undefined variables and undefined objects;
3) Try not to use high-risk functions, such as eval;
4) Guarantee 2) Under all circumstances, all variables cannot be compatible with each other;
5) It is necessary to distinguish between global variables and local variables. It is best to be compatible in various situations;
6) It is necessary to distinguish between one-dimensional objects and multi-dimensional objects, and it is best to be compatible in various situations.

After some difficult exploration, in the case of trying to find both fish and bear paw, the following measures are taken:

1) Use typeof to generate JavaScript statements for whether the variable to be executed is defined;
2) Add a list of environment variable assignment statements to detect whether a variable is explicitly defined;
3) Use window.hasOwnProperty to detect whether a global variable is defined;
4) Use recursive methods to disassemble multi-dimensional data objects, for example, $aList[$ak1][$ak2][$ak3].

Based on the above analysis, a new _enSafeExpression function is added to Hanjst.js to perform security checks on variables and objects to be output.

3. Sample demo

{$a=1} > Similar statements are registered as the variable has been explicitly declared;

{\$a} >((typeof $a =='undefined')? :\$a), output $a if the statement detects that it is not defined, it will be rewritten as a trinocular operator The expression of

$aList[$ak1][$ak2][$ak3] >$aList[$ak1],$aList[$ak1][&dollar ;ak2], dismantle the three-dimensional data to be output separately to form the two variables/objects to be detected, and then separately construct expressions using the trinocular operator to form a layer-by-layer detection from top to bottom, Roughly:
((typeof$aList[$ak1]=='undefined')? :((typeof $aList[$ak1][$ak2]=='undefined')? :$aList[$ak1][$ak2][$ak3]))

More dimensional data objects, and so on. A

4. Other

The version number is increased to v1.7, + some other minor optimization adjustments,

When a simple question is examined in detail, it is not simple at all, and the paper finally feels shallow, and I know that I must do it. In a small task, an active safety check was performed before the variable was output, and I wrote almost 2000 words.

After all, Hanjst is pursuing the art of balance and the ultimate and perfection.

.


?Hanjst is a template language and template analysis engine based on JavaScript. She runs on the client or server.

?Hanjst:Hanjist can express logical control, and can achieve the same powerful functions as the server-side template language.

  • Hanjst saves server-side computing resources when fully parsed on the client;
  • The Hanjst template language is independent and does not bind to server-side resources;
  • Pure MVC, the data between layers is transferred in JSON format;
  • Full support for common template language functions, with complicated and powerful JavaScript programming capabilities;
  • No learning cost, directly use JavaScript to write template language;
  • .

Hanjst is a JavaScript-based templating language and parsing engine that runs on both the client-side and/or server-side.

Hanjst can express logical controls and achieve the same functionalities as the server-side templating languages.

  • Hanjst s Run-time in client-side, reduce computing render in server-side;

  • Hanjst is Language-independent, not-bound with back-end scripts or languages;

  • Totally-isolated between MVC, data transfer with JSON;

  • Full-support template tags with built-in logic and customized JavaScript functions;

  • No more tags languages to be learned, just JavaScript;

  • .

    In the past two days, writing two articles in a row is also a rare act in the history of blogging. Another article written in the same period: Write ? Deposit interest rate loan interest rate and negative interest rate , https://ufqi.com /blog/captial... .

http://ufqi.com/blog/hanjst-ensafeexpr-updt/
-R/x12SX
https://ufqi.com/news/list.932.html