Added support of object property iterators, e.g. for (key in obj) {...}

Notation is similar to array iterators, '@' char is used instead of '~':

{{@ {one: 1, two: 2, three: 3} :val :key}}
    {{=key}} = {{=val}}
{{@}}

Also, this can iterate only own properties – with additional '@':

{{ obj = (function() {
    function O() {
        this.four = 4;
    }
    O.prototype = { one: 1, two: 2, three: 3 };
    return new O;
})(); }}

{{@@ obj :val :key}}
    {{=key}} = {{=val}}
{{@@}}

Suggested continuation from https://github.com/olado/doT/issues/281 and as was originally described in "Part B" of https://hackerone.com/reports/390929

If you agree, I can submit the suggested fix as a PR

Description

First, note that with the addition of default function parameters in ES2015, it is easy to evaluate arbitrary JS expressions if you have access to arg in new Function(arg, body), for example new Function("x=alert(2+2)","return x")

Next, note that calling doT.process({}) without specifying templateSettings (which is the intended way of using the function when not attempting to override defaults) will allow a templateSettings property to be taken from o's prototype:

So, with a previously exploited prototype pollution vulnerability, doT can be caused to run arbitrary code stored as a string in that prototype:

/*elsewhere*/
Object.prototype.templateSettings = {varname:"x=alert(1+1)"};
/* in app code */
const templates = require("dot").process({path: "./my_trusted_templates_that_I_wrote"});
templates.mytemplate(data); // Executes code specified by prototype

### Suggested fix

On line 45, highlighted above, replace `... o.templateSettings ? ...` with `... Object.prototype.hasOwnProperty.call(o,"templateSettings") ? ...`


### Aside - similar but unaffected property
![image](https://user-images.githubusercontent.com/5790026/69501734-c68a5980-0ed5-11ea-81ab-ea70d264cb1a.png)
^ Here, a similar issue could be present with `Object.prototype.varname` but upon closer inspection, I don't think it's a significant issue since doT users are prevented from omitting the varname property in normal doT usage

doT installed as dependency provides dottojs binary, but it doesn't work:

$ ./node_modules/.bin/dottojs --help

module.js:340
    throw err;
          ^
Error: Cannot find module 'commander'

I love doT, but there has been no commit for over a year now. There are 35 interesting pull request out there. I myself would like to have some Object iterator built in.

Please @olado consider those pull request. Merge or close. If you have no time for this project ... why not assign it to somebody else?

it is possible to do this way I used to use this javascript functions or regex in ejs in .dot? . I explain in this question

<%= blog.created_at.getFullYear() %> <%= blog.short_name.replace(new RegExp(" ", "g"), "-") %> <%= blog.content.match(/<img[^>]+src="([^">]+)/)[1] %>

but I have trouble making this work in .dot engine. I know my problem are javascript function, regex and match I'm using. meaning bold part, is not correct here ( getFullYear() , replace(new RegExp(" ", "g"), "-") , match(/]+src="([^">]+)/)[1] )

{{= blog.created_at.getFullYear() }} {{= blog.short_name.replace(new RegExp(" ", "g"), "-") }} {{= blog.content.match(/<img[^>]+src="([^">]+)/)[1] }}

thanks in advance

{{=it.number1}}{{=it.number2}}

evaluates to var += (it.number1)+(it.number2); which results in var += (it.number1 + it.number2);. It then concatenates the resulting number to var, which is bad.

Please evaluate it as var += String(it.number1)+String(it.number2); — this is what users really want, I think.

Quick fix: change the lines 46 - 49 from:

    var startend = {
        append: { start: "'+(", end: ")+'", endencode: "||'').toString().encodeHTML()+'" },
        split: { start: "';out+=(", end: ");out+='", endencode: "||'').toString().encodeHTML();out+='"}
    }, skip = /$^/;

to:

    var startend = {
        append: { start: "'+String(", end: ")+'", endencode: "||'').toString().encodeHTML()+'" },
        split: { start: "';out+=String(", end: ");out+='", endencode: "||'').toString().encodeHTML();out+='"}
    }, skip = /$^/;

Is possible to use doT template with requirejs?? I mean, put the templates in a folder and dynamically pull this templates.. When build process run (r.js), precompile this templates?

I added a single function to the node module (index.js) to support the Express framework.

No dependencies. The main doT.js remains untouched.

I guess there's reasons for this to be in its own module/repo, as in https://github.com/cstigler/express-dot and also reasons for this to be included in doT.

You could also have an express.js file in the repo with some more functionality (like cache support) and require it in index.js

I think it's useful to just include the doT module in for project and use it right away with Express, which seems to be widely adopted (I don't know statistically). I've been using it like that for a while.

Usage in an Express app is simple, as expected:

app.set('view engine', 'dot');

if you're using .dot files. Or:

app.engine('html', require('dot').__express);
app.use('view engine', 'html');

if you want to use any other extension.

I hope this is useful if it makes sense to you.

Happy new year.

I am working on an application server and the ability to identify and handle various templating engines is important. Right now we are handling detection of doT by looking at the shape of the template engine. Would be nice to have a single field to check like handlebars has, for instance.

This adds an engine attribute so that it will be easy to detect in the future.

a dev on my team just added some doT templates to our app. we've had a lengthy discussion regarding it, and my final "please don't use this" landed here:

• https://github.com/olado/doT/blob/master/doT.js#L45

there is absolutely no reason you need to inject your own methods onto native prototypes. especially methods that don't even work correctly.

Hi, It would be nice if there was a context delimeter. Instead of needing to add "it" as a prefix for every data reference.

<div>Hi {{=it.name}}!</div>
<div>{{=it.age || ''}}</div>

becomes

{{$ it}}
<div>Hi {{=name}}!</div>
<div>{{=age || ''}}</div>
{{$}}

Or in a more complex scenario with nesting

var data = {
  "name": "Jake",
  "age":31,
  "mother":"Kate",
  "father":"John",
  "interests": ["basketball","hockey","photography"],
  "contact": {
    "email":"[email protected]",
    "phone":"999999999"
  }
}

Could be used like this:

{{$ it}}
  <div>I'm {{=name}} and I love..</div>
  <ul>
    {{~interests :value}}
      <li>{{=value}}!</li>
    {{~}}
  </ul>
  <div>Please contact me</div>
  {{$ contact}}
    Phone: {{=phone}}
    Email: {{=email}}
  {{$}}
{{$}}

I roughly tried something along these lines in my fork some time back but never really tested or used it. This give a few big advantages. 1) Easier to read the templates without "it" everywhere. 2) If the data structure ever changes- (i.e. something gets nested inside another object when previously it had not) fixing the template is simply a matter of adding a new context delimiter.

Thoughts? Thanks!

I was messing around with the new delimiters option released in 2.0.0-beta.1 and found out that setting { and } as start and end delimiters respectively, breaks in some cases.

const dot = require('dot')

const tmpl = dot.template('{?merchant}/{=merchant}{?}/{=version}/{=product}', {
  argName: ['merchant', 'version', 'product'],
  delimiters: { start: '{', end: '}' },
})

tmpl({ product: 'cookie', version: '1.0.0', merchant: '243' }) 🐛 

// Could not create a template function: let out='';if(merchant)';out+='/'+(merchant);out+='out+='/'+(version)+'/'+(product);return out;
Uncaught SyntaxError: Unexpected identifier

If I don't use conditionals in my template string, the rendering works fine.

const tmpl = dot.template('/{=merchant}/{=version}/{=product}', {
  argName: ['merchant', 'version', 'product'],
  delimiters: { start: '{', end: '}' },
})

tmpl({ product: 'cookie', version: '1.0.0', merchant: '243' }) ✅ 
// '/243/1.0.0/cookie'

Other delimiters that I've tried, such as [ and ], seem to work fine in all scenarios, though.

Issue: There is no package-lock.json or npm-shrinkwrap.json file uploaded to the GitHub repository https://github.com/olado/doT

Questions: We are conducting a research study on the lock files used in JS projects. We were curious:

1. Will you upload any lock files to GitHub as recommended above? (Yes/No), and why?:
2. Do you have any additional comments? (If so, please write it down):

For any publication or research report based on this study, we will share all responses from developers in an anonymous way. Both your projects and personal information will be kept confidential.

Rationale: NPM introduced package-lock.json and npm-shrimpwrap.json files to capture the exact dependency tree installed at any point in time. When package.json defines the required dependencies and their respective versions using semantic versioning (e.g., “express”: “^4.16.4”), npm always downloads the latest version of packages to satisfy the specified version ranges (e.g., 4.17.1)[1]. If the latest version of any package keeps changing and has backward incompatibility issues with previous versions, the project may have an inconsistent running environment and get intermittent failures. In such scenarios, it can be very difficult for developers to debug programs and settle down the software environment [2].

List of Risks:

• Nondeterministic package downloads and installations across different environments [3]
• Produce irreproducible builds [4]
• Inconsistent results of program execution [5]

Suggested Solution: Please fixate the dependencies by either specifying the exact library version in the package.json file or by uploading the package-lock.json or npm-shrinkwrap.json file to GitHub.

References: https://docs.npmjs.com/cli/v7/configuring-npm/package-lock-json https://blog.logrocket.com/why-you-should-use-package-lock-json/ 2019. 10 npm Security Best Practices. https://snyk.io/blog/ten-npm-security-best-practices/. Pronnoy Goswami, Saksham Gupta, Zhiyuan Li, Na Meng, and Daphne Yao. 2020. Investigating The Reproducibility of NPM Packages. In2020 IEEE International 2021. Npm Security Best Practices. https://bytesafe.dev/posts/npm-security-best-practices/#no9-deterministic-results.

Hi Folks, I came across some simple yet efficient Template engine 'Dot-js'. Created a VS - Code Extension. Feel free to explore that.

https://github.com/Deepthi1496/doT-template-snippet

If you like this extension, provide comments and Stars - which makes me understand you appreciate the work and help the community for the better :)

Given this template, it should render a CSV output with no empty lines

host,pin,subject
{{~ it :e }}
{{=e.host}},{{=e.hash}},{{=e.subject.CN}}
{{~}}

However, the output contains an empty line after the header and after each of the arrays items. Currently this template has to be used to get a proper formatted CSV output:

host,pin,subject{{~ it :e }}
{{=e.host}},{{=e.hash}},{{=e.subject.CN}}{{~}}

which is rather ugly. Will this be fixed in V2?

I am using V2 doT like so:

import * as doT from 'doT';

const tmpl = doT.template("{{=foo}}{{=bar}}", {argName: ["foo", "bar"]})
tmpl({foo: 1, bar: 2}) // "12"

And it works just dandy. However, I am not seeing any types. In vscode I get the following message on my import:

Could not find a declaration file for module 'doT'. 'node_modules/dot/doT.js' implicitly has an 'any' type.ts(7016)

Am I missing something? It would be helpful to see an example with working types.