Skip to content

mde/ejs

BranchesTags

Repository files navigation

Embedded JavaScript templates
Known Vulnerabilities

Security

Security professionals, before reporting any security issues, please reference the SECURITY.md in this project, in particular, the following: "EJS is effectively a JavaScript runtime. Its entire job is to execute JavaScript. If you run the EJS render method without checking the inputs yourself, you are responsible for the results."

In short, DO NOT submit 'vulnerabilities' that include this snippet of code:

app.get('/',(req,res)=>{
res.render('index',req.query);
});

Installation

$ npm install ejs

Features

  • Control flow with<% %>
  • Escaped output with<%= %>(escape function configurable)
  • Unescaped raw output with<%- %>
  • Newline-trim mode ('newline slurping') with-%>ending tag
  • Whitespace-trim mode (slurp all whitespace) for control flow with<%_ _%>
  • Custom delimiters (e.g.[??]instead of<% %>)
  • Includes
  • Client-side support
  • Static caching of intermediate JavaScript
  • Static caching of templates
  • Complies with theExpressview system

Example

<%if(user) {%>
<h2><%=user.name%></h2>
<%}%>

Try EJS online at:https://ionicabizau.github.io/ejs-playground/.

Basic usage

lettemplate=ejs.compile(str,options);
template(data);
// => Rendered HTML string

ejs.render(str,data,options);
// => Rendered HTML string

ejs.renderFile(filename,data,options,function(err,str){
// str => Rendered HTML string
});

It is also possible to useejs.render(dataAndOptions);where you pass everything in a single object. In that case, you'll end up with local variables for all the passed options. However, be aware that your code could break if we add an option with the same name as one of your data object's properties. Therefore, we do not recommend using this shortcut.

Important

You should never give end-users unfettered access to the EJS render method, If you do so you are using EJS in an inherently un-secure way.

Options

  • cacheCompiled functions are cached, requiresfilename
  • filenameThe name of the file being rendered. Not required if you are usingrenderFile().Used bycacheto key caches, and for includes.
  • rootSet template root(s) for includes with an absolute path (e.g, /file.ejs). Can be array to try to resolve include from multiple directories.
  • viewsAn array of paths to use when resolving includes with relative paths.
  • contextFunction execution context
  • compileDebugWhenfalseno debug instrumentation is compiled
  • clientWhentrue,compiles a function that can be rendered in the browser without needing to load the EJS Runtime (ejs.min.js).
  • delimiterCharacter to use for inner delimiter, by default '%'
  • openDelimiterCharacter to use for opening delimiter, by default '<'
  • closeDelimiterCharacter to use for closing delimiter, by default '>'
  • debugOutputs generated function body
  • strictWhen set totrue,generated function is in strict mode
  • _withWhether or not to usewith() {}constructs. Iffalse then the locals will be stored in thelocalsobject. Set tofalsein strict mode.
  • destructuredLocalsAn array of local variables that are always destructured from the locals object, available even in strict mode.
  • localsNameName to use for the object storing local variables when not using withDefaults tolocals
  • rmWhitespaceRemove all safe-to-remove whitespace, including leading and trailing whitespace. It also enables a safer version of-%>line slurping for all scriptlet tags (it does not strip new lines of tags in the middle of a line).
  • escapeThe escaping function used with<%=construct. It is used in rendering and is.toString()ed in the generation of client functions. (By default escapes XML).
  • outputFunctionNameSet to a string (e.g., 'echo' or 'print') for a function to print output inside scriptlet tags.
  • asyncWhentrue,EJS will use an async function for rendering. (Depends on async/await support in the JS runtime).
  • includerCustom function to handle EJS includes, receives(originalPath, parsedPath) parameters, whereoriginalPathis the path in include as-is andparsedPathis the previously resolved path. Should return an object{ filename, template }, you may return only one of the properties, wherefilenameis the final parsed path andtemplate is the included content.

This project usesJSDoc.For the full public API documentation, clone the repository and runjake doc.This will run JSDoc with the proper options and output the documentation toout/.If you want the both the public & private API docs, runjake devdocinstead.

Tags

  • <%'Scriptlet' tag, for control-flow, no output
  • <%_'Whitespace Slurping' Scriptlet tag, strips all whitespace before it
  • <%=Outputs the value into the template (escaped)
  • <%-Outputs the unescaped value into the template
  • <%#Comment tag, no execution, no output
  • <%%Outputs a literal '<%'
  • %%>Outputs a literal '%>'
  • %>Plain ending tag
  • -%>Trim-mode ('newline slurp') tag, trims following newline
  • _%>'Whitespace Slurping' ending tag, removes all whitespace after it

For the full syntax documentation, please seedocs/syntax.md.

Includes

Includes either have to be an absolute path, or, if not, are assumed as relative to the template with theincludecall. For example if you are including./views/user/show.ejsfrom./views/users.ejsyou would use<%- include('user/show') %>.

You must specify thefilenameoption for the template with theinclude call unless you are usingrenderFile().

You'll likely want to use the raw output tag (<%-) with your include to avoid double-escaping the HTML output.

<ul>
<%users.forEach(function(user){%>
<%-include('user/show',{user:user})%>
<%});%>
</ul>

Includes are inserted at runtime, so you can use variables for the path in the includecall (for example<%- include(somePath) %>). Variables in your top-level data object are available to all your includes, but local variables need to be passed down.

NOTE: Include preprocessor directives (<% include user/show %>) are not supported in v3.0+.

Custom delimiters

Custom delimiters can be applied on a per-template basis, or globally:

letejs=require('ejs'),
users=['geddy','neil','alex'];

// Just one template
ejs.render('<p>[?= users.join( "|" );?]</p>',{users:users},{delimiter:'?',openDelimiter:'[',closeDelimiter:']'});
// => '<p>geddy | neil | alex</p>'

// Or globally
ejs.delimiter='?';
ejs.openDelimiter='[';
ejs.closeDelimiter=']';
ejs.render('<p>[?= users.join( "|" );?]</p>',{users:users});
// => '<p>geddy | neil | alex</p>'

Caching

EJS ships with a basic in-process cache for caching the intermediate JavaScript functions used to render templates. It's easy to plug in LRU caching using Node'slru-cachelibrary:

letejs=require('ejs'),
LRU=require('lru-cache');
ejs.cache=LRU(100);// LRU cache with 100-item limit

If you want to clear the EJS cache, callejs.clearCache.If you're using the LRU cache and need a different limit, simple resetejs.cacheto a new instance of the LRU.

Custom file loader

The default file loader isfs.readFileSync,if you want to customize it, you can set ejs.fileLoader.

letejs=require('ejs');
letmyFileLoad=function(filePath){
return'myFileLoad: '+fs.readFileSync(filePath);
};

ejs.fileLoader=myFileLoad;

With this feature, you can preprocess the template before reading it.

Layouts

EJS does not specifically support blocks, but layouts can be implemented by including headers and footers, like so:

<%-include('header')-%>
<h1>
Title
</h1>
<p>
My page
</p>
<%-include('footer')-%>

Client-side support

Go to theLatest Release,download ./ejs.jsor./ejs.min.js.Alternately, you can compile it yourself by cloning the repository and runningjake build(or$(npm bin)/jake buildif jake is not installed globally).

Include one of these files on your page, andejsshould be available globally.

Example

<divid= "output"></div>
<scriptsrc= "ejs.min.js"></script>
<script>
letpeople=['geddy','neil','alex'],
html=ejs.render('<%= people.join( "," ); %>',{people:people});
// With jQuery:
$('#output').html(html);
// Vanilla JS:
document.getElementById('output').innerHTML=html;
</script>

Caveats

Most of EJS will work as expected; however, there are a few things to note:

  1. Obviously, since you do not have access to the filesystem,ejs.renderFile()won't work.
  2. For the same reason,includes do not work unless you use aninclude callback.Here is an example:
letstr="Hello <%= include('file', {person: 'John'}); %>",
fn=ejs.compile(str,{client:true});

fn(data,null,function(path,d){// include callback
// path -> 'file'
// d -> {person: 'John'}
// Put your code here
// Return the contents of file as a string
});// returns rendered string

See theexamples folderfor more details.

CLI

EJS ships with a full-featured CLI. Options are similar to those used in JavaScript code:

  • -o / --output-file FILEWrite the rendered output to FILE rather than stdout.
  • -f / --data-file FILEMust be JSON-formatted. Use parsed input from FILE as data for rendering.
  • -i / --data-input STRINGMust be JSON-formatted and URI-encoded. Use parsed input from STRING as data for rendering.
  • -m / --delimiter CHARACTERUse CHARACTER with angle brackets for open/close (defaults to %).
  • -p / --open-delimiter CHARACTERUse CHARACTER instead of left angle bracket to open.
  • -c / --close-delimiter CHARACTERUse CHARACTER instead of right angle bracket to close.
  • -s / --strictWhen set totrue,generated function is in strict mode
  • -n / --no-withUse 'locals' object for vars rather than usingwith(implies --strict).
  • -l / --locals-nameName to use for the object storing local variables when not usingwith.
  • -w / --rm-whitespaceRemove all safe-to-remove whitespace, including leading and trailing whitespace.
  • -d / --debugOutputs generated function body
  • -h / --helpDisplay this help message.
  • -V/v / --versionDisplay the EJS version.

Here are some examples of usage:

$ ejs -p [-c]./template_file.ejs -o./output.html
$ ejs./test/fixtures/user.ejs name=Lerxst
$ ejs -n -l _./some_template.ejs -f./data_file.json

Data input

There is a variety of ways to pass the CLI data for rendering.

Stdin:

$./test/fixtures/user_data.json|ejs./test/fixtures/user.ejs
$ ejs./test/fixtures/user.ejs<test/fixtures/user_data.json

A data file:

$ ejs./test/fixtures/user.ejs -f./user_data.json

A command-line option (must be URI-encoded):

./bin/cli.js -i %7B%22name%22%3A%20%22foo%22%7D./test/fixtures/user.ejs

Or, passing values directly at the end of the invocation:

./bin/cli.js -m $./test/fixtures/user.ejs name=foo

Output

The CLI by default send output to stdout, but you can use the-oor--output-file flag to specify a target file to send the output to.

IDE Integration with Syntax Highlighting

VSCode:Javascript EJS byDigitalBrainstem

Related projects

There are a number of implementations of EJS:

License

Licensed under the Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)

EJS Embedded JavaScript templates copyright 2112 [email protected].

About

Embedded JavaScript templates --http://ejs.co

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct

Security policy

Security policy
Activity

Stars

7.7k stars

Watchers

128 watching

Forks

842 forks
Report repository

Releases 38

v3.1.10 Latest
Apr 12, 2024
+ 37 releases

Packages

No packages published

Used by12.4m

  • @PrintHiEgProg
  • @Shelbik
  • @ojrojas
  • @matias-fuentes
  • @RonHachmon
  • @FrankC-12
  • @bendon
  • @1199692
+ 12,360,127

Contributors 124

+ 110 contributors

Languages