菜单
Pattern for adding safe conditional logic to user-editable templates without eval()
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Comprehensive code verification toolkit for the KMP application. Run all quality checks (PHPUnit, Jest, Webpack, PHPCS, PHPStan) and get guidance on writing tests and verifying production readiness.
Badge/notification counts must use identical permissions and be a subset of the list view they link to
Comprehensive spreadsheet creation, editing, and analysis with support for formulas, formatting, data analysis, and visualization. When Claude needs to work with spreadsheets (.xlsx, .xlsm, .csv, .tsv, etc) for: (1) Creating new spreadsheets with formulas and formatting, (2) Reading or analyzing data, (3) Modify existing spreadsheets while preserving formulas, (4) Data analysis and visualization in spreadsheets, or (5) Recalculating formulas
Manage plan tasks using the beads distributed, git-backed graph issue tracker. Supports creating, updating, closing tasks, managing dependencies, and syncing with git.
Automatically install and manage Agent Skills from GitHub repositories. Use when asked to "install a skill", "add a skill", "find skills", "browse skills", "get skills from GitHub", or when the user needs a specific capability that might exist as a community skill. Supports anthropics/skills, github/awesome-copilot, and custom GitHub repositories.
tools and instructions for performing a security audit and penetration testing on the KMP application.
| name | safe-template-dsl |
| description | Pattern for adding safe conditional logic to user-editable templates without eval() |
| domain | security-and-templating |
| confidence | low |
| source | earned |
When templates are stored in a database and editable by users/admins, you cannot use eval() or any PHP code execution to process logic embedded in those templates. Instead, parse the template syntax as a safe DSL using regex, supporting only the specific operations you need.
Parse {{#if var == "value"}}...{{/if}} blocks using regex, not eval():
// Regex to find conditional blocks (s flag for multiline content)
$pattern = '/\{\{#if\s+(.+?)\}\}(.*?)\{\{\/if\}\}/s';
preg_replace_callback($pattern, function ($matches) use ($vars) {
$condition = trim($matches[1]);
$content = $matches[2];
return $this->evaluateCondition($condition, $vars) ? $content : '';
}, $template);
Handle || (OR) and && (AND) with correct precedence by splitting || first:
// Split by || first → gives && higher precedence (correct)
if (str_contains($condition, '||')) {
foreach (explode('||', $condition) as $part) {
if ($this->evaluateCondition(trim($part), $vars)) return true;
}
return false;
}
if (str_contains($condition, '&&')) {
foreach (explode('&&', $condition) as $part) {
if (!$this->evaluateCondition(trim($part), $vars)) return false;
}
return true;
}
return $this->evaluateComparison($condition, $vars);
Process conditionals BEFORE variable substitution. Conditionals need raw values to decide which blocks to keep; the kept blocks then get their {{variables}} substituted.
Any expression that doesn't match the supported pattern should log a warning and evaluate to false. Never silently succeed on unrecognized input.
eval() on user-editable content — arbitrary code execution vulnerability