Requests for comment/HTML templating library/Knockoff - Tassembly

During the discussion at the Architecture summit DOM-based templating received a good amount of support for its security features. In particular KnockOut.js as a client-side solution was positively mentioned by several participants who had used it in previous projects. KnockoutJS is a purely client-side JS templating solution, which reactively reflects updates in a model. It is realatively light-weight (16k gzipped) and fairly extensible.

The question that we tried to answer after the summit was what it would take to provide an efficient server-side implementation of KnockoutJS in both JS and PHP. To establish a baseline, we ran KnockoutJS natively on node.js using a pure-JS DOM implementation (JSDOM). As expected, performance was not great. Heavy use of the pure-JS DOM and unnecessary reactivity resulted in performance close to that of PHP templating libraries.

As a next step, we designed a very simple JSON-based intermediate representation that captures the basics of templating while still supporting security properties like balancing of tags and context-sensitive attribute escaping:

The most basic of things
We will support auto escaping of the variables based on what context they're being put in. In this case we would escape someVariable in an href context, and anotherVariable in an html context.

Template inclusions
Although not shown, you can also have anonymous templates that are declared in the template and then referenced by element id.

Conditionals
There is also an if binding; but for server side rendering we should prefer visible so that the template does not get destroyed if the client side will do additional dynamic work.

Note: We're thinking about allowing simple expressions ( < > + - || && ), but for now in our prototypes we've explicitly disabled it. Future work :)

Looping
Note: The visible attribute is optional, but if left out the ul element will be left on the page.

... or ...