Menu
Pattern for adding safe conditional logic to user-editable templates without eval()
Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.
Based on SOC occupation classification
Comprehensive code verification toolkit for the KMP application. Run all quality checks (PHPUnit, Jest, Webpack, PHPCS, PHPStan) and get guidance on writing tests and verifying production readiness.
Badge/notification counts must use identical permissions and be a subset of the list view they link to
Comprehensive spreadsheet creation, editing, and analysis with support for formulas, formatting, data analysis, and visualization. When Claude needs to work with spreadsheets (.xlsx, .xlsm, .csv, .tsv, etc) for: (1) Creating new spreadsheets with formulas and formatting, (2) Reading or analyzing data, (3) Modify existing spreadsheets while preserving formulas, (4) Data analysis and visualization in spreadsheets, or (5) Recalculating formulas
Manage plan tasks using the beads distributed, git-backed graph issue tracker. Supports creating, updating, closing tasks, managing dependencies, and syncing with git.
Automatically install and manage Agent Skills from GitHub repositories. Use when asked to "install a skill", "add a skill", "find skills", "browse skills", "get skills from GitHub", or when the user needs a specific capability that might exist as a community skill. Supports anthropics/skills, github/awesome-copilot, and custom GitHub repositories.
tools and instructions for performing a security audit and penetration testing on the KMP application.
| name | safe-template-dsl |
| description | Pattern for adding safe conditional logic to user-editable templates without eval() |
| domain | security-and-templating |
| confidence | low |
| source | earned |
When templates are stored in a database and editable by users/admins, you cannot use eval() or any PHP code execution to process logic embedded in those templates. Instead, parse the template syntax as a safe DSL using regex, supporting only the specific operations you need.
Parse {{#if var == "value"}}...{{/if}} blocks using regex, not eval():
// Regex to find conditional blocks (s flag for multiline content)
$pattern = '/\{\{#if\s+(.+?)\}\}(.*?)\{\{\/if\}\}/s';
preg_replace_callback($pattern, function ($matches) use ($vars) {
$condition = trim($matches[1]);
$content = $matches[2];
return $this->evaluateCondition($condition, $vars) ? $content : '';
}, $template);
Handle || (OR) and && (AND) with correct precedence by splitting || first:
// Split by || first → gives && higher precedence (correct)
if (str_contains($condition, '||')) {
foreach (explode('||', $condition) as $part) {
if ($this->evaluateCondition(trim($part), $vars)) return true;
}
return false;
}
if (str_contains($condition, '&&')) {
foreach (explode('&&', $condition) as $part) {
if (!$this->evaluateCondition(trim($part), $vars)) return false;
}
return true;
}
return $this->evaluateComparison($condition, $vars);
Process conditionals BEFORE variable substitution. Conditionals need raw values to decide which blocks to keep; the kept blocks then get their {{variables}} substituted.
Any expression that doesn't match the supported pattern should log a warning and evaluate to false. Never silently succeed on unrecognized input.
eval() on user-editable content — arbitrary code execution vulnerability