Laminate: Safe User templates for Ruby apps

2009 September 10
by scottp

With today’s announcement of our new VodSpot 2.0 product, we are also introducing a new page templating system we call Laminate. We built Laminate for the purpose of allowing our VodSpot users to modify the template pages used to generate their video sites.

Laminate is very similar in purpose and motivation to the Liquid Template system. Both systems aim to offer an HTML-based templating system that is safe to execute user-written templates. However, where Liquid introduces its own syntax, Laminate takes a different approach.

Laminate works by binding the Lua language runtime into the Ruby runtime. Lua is not super widely known, but it was purpose-built to be an embedded language. It sees heavy use today as the scripting language for World of Warcraft and Adobe Lightroom.

Even better, Lua is a very simple language. Here’s a basic “print hello world ten times” program:

for i=1,10 do
  print "hello world"
end

By embedding Lua into Ruby, we get a full-featured programming language that also executes in a nice sandbox where it can’t do anything malicious. Inside one of our Laminate templates, this would just look like:

{{ for i=1,10 do }}
  <h3>hello world</h3>
{{ end }}

So in comparison to Liquid, I think Laminate offers a more powerful templating language. That may be good or bad depending on your circumstances. For our needs we felt that in order to offer truly powerful customization to our VodSpot users, including the ability to build whole new functions and access data that we might not even have envisioned, we wanted to offer a “full” progamming language to the template writer. Note that this does come at a possible cost in reliability. Liquid is pretty guaranteed since its 100% Ruby, while running arbitrary Lua inside your Ruby interpreter definitely poses some additional risks.

Laminate is built on the Lua->Ruby integration library Rufus-Lua which was created by John Mettraux. A big thanks goes out to John who spent tons of time extending Rufus-Lua with new features for us.

We are providing Laminate open source under the MIT license. You can check it over here:

http://github.com/scottpersinger/laminate/tree/master

The README up there has much more information, including installation instructions. Please note that I am still working with John to integrate into Rufus-Lua changes that Laminate relies upon. We should get everything worked out over the next day or two.

Finally, you can check out the Laminate wiki that we created to support our VodSpot product. It’s got a bunch more useful information and shows how we are using Laminate in a real product.

from → Uncategorized

2 Responses leave one →

Trackbacks & Pingbacks

  1. API 2.0: Under the Hood « Vodpod Geek Blog
  2. rufus-lua 1.1.0 « processi

Leave a Reply

Note: You can use basic XHTML in your comments. Your email address will never be published.

Subscribe to this comment feed via RSS