// Pattern for adding safe conditional logic to user-editable templates without eval()
[HINT] Download the complete skill directory including SKILL.md and all related files
| name | safe-template-dsl |
| description | Pattern for adding safe conditional logic to user-editable templates without eval() |
| domain | security-and-templating |
| confidence | low |
| source | earned |
When templates are stored in a database and editable by users/admins, you cannot use eval() or any PHP code execution to process logic embedded in those templates. Instead, parse the template syntax as a safe DSL using regex, supporting only the specific operations you need.
Parse {{#if var == "value"}}...{{/if}} blocks using regex, not eval():
// Regex to find conditional blocks (s flag for multiline content)
$pattern = '/\{\{#if\s+(.+?)\}\}(.*?)\{\{\/if\}\}/s';
preg_replace_callback($pattern, function ($matches) use ($vars) {
$condition = trim($matches[1]);
$content = $matches[2];
return $this->evaluateCondition($condition, $vars) ? $content : '';
}, $template);
Handle || (OR) and && (AND) with correct precedence by splitting || first:
// Split by || first → gives && higher precedence (correct)
if (str_contains($condition, '||')) {
foreach (explode('||', $condition) as $part) {
if ($this->evaluateCondition(trim($part), $vars)) return true;
}
return false;
}
if (str_contains($condition, '&&')) {
foreach (explode('&&', $condition) as $part) {
if (!$this->evaluateCondition(trim($part), $vars)) return false;
}
return true;
}
return $this->evaluateComparison($condition, $vars);
Process conditionals BEFORE variable substitution. Conditionals need raw values to decide which blocks to keep; the kept blocks then get their {{variables}} substituted.
Any expression that doesn't match the supported pattern should log a warning and evaluate to false. Never silently succeed on unrecognized input.
eval() on user-editable content — arbitrary code execution vulnerability