Gathering detailed insights and metrics for ejs
Gathering detailed insights and metrics for ejs
Gathering detailed insights and metrics for ejs
Gathering detailed insights and metrics for ejs
npm install ejs
58.7
Supply Chain
99.6
Quality
76.8
Maintenance
100
Vulnerability
100
License
Module System
Min. Node Version
Typescript Support
Node Version
NPM Version
7,788 Stars
3,207 Commits
843 Forks
127 Watching
14 Branches
122 Contributors
Updated on 26 Nov 2024
JavaScript (100%)
Cumulative downloads
Total Downloads
Last day
-2.1%
3,671,865
Compared to previous day
Last week
3.2%
19,441,138
Compared to previous week
Last month
12.9%
81,150,970
Compared to previous month
Last year
24.2%
797,439,282
Compared to previous year
1
7
Security professionals, before reporting any security issues, please reference the SECURITY.md in this project, in particular, the following: "EJS is effectively a JavaScript runtime. Its entire job is to execute JavaScript. If you run the EJS render method without checking the inputs yourself, you are responsible for the results."
In short, DO NOT submit 'vulnerabilities' that include this snippet of code:
1app.get('/', (req, res) => { 2 res.render('index', req.query); 3});
1$ npm install ejs
<% %>
<%= %>
(escape function configurable)<%- %>
-%>
ending tag<%_ _%>
[? ?]
instead of <% %>
)1<% if (user) { %> 2 <h2><%= user.name %></h2> 3<% } %>
Try EJS online at: https://ionicabizau.github.io/ejs-playground/.
1let template = ejs.compile(str, options); 2template(data); 3// => Rendered HTML string 4 5ejs.render(str, data, options); 6// => Rendered HTML string 7 8ejs.renderFile(filename, data, options, function(err, str){ 9 // str => Rendered HTML string 10});
It is also possible to use ejs.render(dataAndOptions);
where you pass
everything in a single object. In that case, you'll end up with local variables
for all the passed options. However, be aware that your code could break if we
add an option with the same name as one of your data object's properties.
Therefore, we do not recommend using this shortcut.
You should never give end-users unfettered access to the EJS render method, If you do so you are using EJS in an inherently un-secure way.
cache
Compiled functions are cached, requires filename
filename
The name of the file being rendered. Not required if you
are using renderFile()
. Used by cache
to key caches, and for includes.root
Set template root(s) for includes with an absolute path (e.g, /file.ejs).
Can be array to try to resolve include from multiple directories.views
An array of paths to use when resolving includes with relative paths.context
Function execution contextcompileDebug
When false
no debug instrumentation is compiledclient
When true
, compiles a function that can be rendered
in the browser without needing to load the EJS Runtime
(ejs.min.js).delimiter
Character to use for inner delimiter, by default '%'openDelimiter
Character to use for opening delimiter, by default '<'closeDelimiter
Character to use for closing delimiter, by default '>'debug
Outputs generated function bodystrict
When set to true
, generated function is in strict mode_with
Whether or not to use with() {}
constructs. If false
then the locals will be stored in the locals
object. Set to false
in strict mode.destructuredLocals
An array of local variables that are always destructured from
the locals object, available even in strict mode.localsName
Name to use for the object storing local variables when not using
with
Defaults to locals
rmWhitespace
Remove all safe-to-remove whitespace, including leading
and trailing whitespace. It also enables a safer version of -%>
line
slurping for all scriptlet tags (it does not strip new lines of tags in
the middle of a line).escape
The escaping function used with <%=
construct. It is
used in rendering and is .toString()
ed in the generation of client functions.
(By default escapes XML).outputFunctionName
Set to a string (e.g., 'echo' or 'print') for a function to print
output inside scriptlet tags.async
When true
, EJS will use an async function for rendering. (Depends
on async/await support in the JS runtime).includer
Custom function to handle EJS includes, receives (originalPath, parsedPath)
parameters, where originalPath
is the path in include as-is and parsedPath
is the
previously resolved path. Should return an object { filename, template }
,
you may return only one of the properties, where filename
is the final parsed path and template
is the included content.This project uses JSDoc. For the full public API
documentation, clone the repository and run jake doc
. This will run JSDoc
with the proper options and output the documentation to out/
. If you want
the both the public & private API docs, run jake devdoc
instead.
<%
'Scriptlet' tag, for control-flow, no output<%_
'Whitespace Slurping' Scriptlet tag, strips all whitespace before it<%=
Outputs the value into the template (escaped)<%-
Outputs the unescaped value into the template<%#
Comment tag, no execution, no output<%%
Outputs a literal '<%'%%>
Outputs a literal '%>'%>
Plain ending tag-%>
Trim-mode ('newline slurp') tag, trims following newline_%>
'Whitespace Slurping' ending tag, removes all whitespace after itFor the full syntax documentation, please see docs/syntax.md.
Includes either have to be an absolute path, or, if not, are assumed as
relative to the template with the include
call. For example if you are
including ./views/user/show.ejs
from ./views/users.ejs
you would
use <%- include('user/show') %>
.
You must specify the filename
option for the template with the include
call unless you are using renderFile()
.
You'll likely want to use the raw output tag (<%-
) with your include to avoid
double-escaping the HTML output.
1<ul> 2 <% users.forEach(function(user){ %> 3 <%- include('user/show', {user: user}) %> 4 <% }); %> 5</ul>
Includes are inserted at runtime, so you can use variables for the path in the
include
call (for example <%- include(somePath) %>
). Variables in your
top-level data object are available to all your includes, but local variables
need to be passed down.
NOTE: Include preprocessor directives (<% include user/show %>
) are
not supported in v3.0+.
Custom delimiters can be applied on a per-template basis, or globally:
1let ejs = require('ejs'), 2 users = ['geddy', 'neil', 'alex']; 3 4// Just one template 5ejs.render('<p>[?= users.join(" | "); ?]</p>', {users: users}, {delimiter: '?', openDelimiter: '[', closeDelimiter: ']'}); 6// => '<p>geddy | neil | alex</p>' 7 8// Or globally 9ejs.delimiter = '?'; 10ejs.openDelimiter = '['; 11ejs.closeDelimiter = ']'; 12ejs.render('<p>[?= users.join(" | "); ?]</p>', {users: users}); 13// => '<p>geddy | neil | alex</p>'
EJS ships with a basic in-process cache for caching the intermediate JavaScript
functions used to render templates. It's easy to plug in LRU caching using
Node's lru-cache
library:
1let ejs = require('ejs'), 2 LRU = require('lru-cache'); 3ejs.cache = LRU(100); // LRU cache with 100-item limit
If you want to clear the EJS cache, call ejs.clearCache
. If you're using the
LRU cache and need a different limit, simple reset ejs.cache
to a new instance
of the LRU.
The default file loader is fs.readFileSync
, if you want to customize it, you can set ejs.fileLoader.
1let ejs = require('ejs'); 2let myFileLoad = function (filePath) { 3 return 'myFileLoad: ' + fs.readFileSync(filePath); 4}; 5 6ejs.fileLoader = myFileLoad;
With this feature, you can preprocess the template before reading it.
EJS does not specifically support blocks, but layouts can be implemented by including headers and footers, like so:
1<%- include('header') -%> 2<h1> 3 Title 4</h1> 5<p> 6 My page 7</p> 8<%- include('footer') -%>
Go to the Latest Release, download
./ejs.js
or ./ejs.min.js
. Alternately, you can compile it yourself by cloning
the repository and running jake build
(or $(npm bin)/jake build
if jake is
not installed globally).
Include one of these files on your page, and ejs
should be available globally.
1<div id="output"></div> 2<script src="ejs.min.js"></script> 3<script> 4 let people = ['geddy', 'neil', 'alex'], 5 html = ejs.render('<%= people.join(", "); %>', {people: people}); 6 // With jQuery: 7 $('#output').html(html); 8 // Vanilla JS: 9 document.getElementById('output').innerHTML = html; 10</script>
Most of EJS will work as expected; however, there are a few things to note:
ejs.renderFile()
won't work.include
s do not work unless you use an include callback
. Here is an example:1let str = "Hello <%= include('file', {person: 'John'}); %>", 2 fn = ejs.compile(str, {client: true}); 3 4fn(data, null, function(path, d){ // include callback 5 // path -> 'file' 6 // d -> {person: 'John'} 7 // Put your code here 8 // Return the contents of file as a string 9}); // returns rendered string
See the examples folder for more details.
EJS ships with a full-featured CLI. Options are similar to those used in JavaScript code:
-o / --output-file FILE
Write the rendered output to FILE rather than stdout.-f / --data-file FILE
Must be JSON-formatted. Use parsed input from FILE as data for rendering.-i / --data-input STRING
Must be JSON-formatted and URI-encoded. Use parsed input from STRING as data for rendering.-m / --delimiter CHARACTER
Use CHARACTER with angle brackets for open/close (defaults to %).-p / --open-delimiter CHARACTER
Use CHARACTER instead of left angle bracket to open.-c / --close-delimiter CHARACTER
Use CHARACTER instead of right angle bracket to close.-s / --strict
When set to true
, generated function is in strict mode-n / --no-with
Use 'locals' object for vars rather than using with
(implies --strict).-l / --locals-name
Name to use for the object storing local variables when not using with
.-w / --rm-whitespace
Remove all safe-to-remove whitespace, including leading and trailing whitespace.-d / --debug
Outputs generated function body-h / --help
Display this help message.-V/v / --version
Display the EJS version.Here are some examples of usage:
1$ ejs -p [ -c ] ./template_file.ejs -o ./output.html 2$ ejs ./test/fixtures/user.ejs name=Lerxst 3$ ejs -n -l _ ./some_template.ejs -f ./data_file.json
There is a variety of ways to pass the CLI data for rendering.
Stdin:
1$ ./test/fixtures/user_data.json | ejs ./test/fixtures/user.ejs 2$ ejs ./test/fixtures/user.ejs < test/fixtures/user_data.json
A data file:
1$ ejs ./test/fixtures/user.ejs -f ./user_data.json
A command-line option (must be URI-encoded):
1./bin/cli.js -i %7B%22name%22%3A%20%22foo%22%7D ./test/fixtures/user.ejs
Or, passing values directly at the end of the invocation:
1./bin/cli.js -m $ ./test/fixtures/user.ejs name=foo
The CLI by default send output to stdout, but you can use the -o
or --output-file
flag to specify a target file to send the output to.
VSCode:Javascript EJS by DigitalBrainstem
There are a number of implementations of EJS:
Licensed under the Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
EJS Embedded JavaScript templates copyright 2112 mde@fleegix.org.
The latest stable version of the package.
Stable Version
2
9.8/10
Summary
ejs is vulnerable to remote code execution due to weak input validation
Affected Versions
< 2.5.3
Patched Versions
2.5.5
9.8/10
Summary
ejs template injection vulnerability
Affected Versions
< 3.1.7
Patched Versions
3.1.7
1
7.5/10
Summary
ejs vulnerable to DoS due to weak input validation
Affected Versions
< 2.5.5
Patched Versions
2.5.5
2
4/10
Summary
ejs lacks certain pollution protection
Affected Versions
< 3.1.10
Patched Versions
3.1.10
6.1/10
Summary
mde ejs vulnerable to XSS
Affected Versions
< 2.5.5
Patched Versions
2.5.5
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
license file detected
Details
Reason
security policy file detected
Details
Reason
0 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 4
Reason
Found 5/18 approved changesets -- score normalized to 2
Reason
detected GitHub workflow tokens with excessive permissions
Details
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
Reason
branch protection not enabled on development/release branches
Details
Reason
Project has not signed or included provenance with any releases.
Details
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
Reason
10 existing vulnerabilities detected
Details
Score
Last Scanned on 2024-11-18
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More