\$\begingroup\$
\$\endgroup\$
2
We've got a "catch-all" in app.js that renders a .jade file if it exists:
app.get('*', routes.render);
index.js
render: function(req, res) {
fs.exists('views' + req.url + '.jade', function(exists) {
if (exists) {
//substring: "/admin" -> "admin"
res.render(req.url.substring(1));
} else {
res.status(404);
res.render('404', {url: req.url});
}
});
}
Problem is, we've either got to move everything we don't want rendered this way into another folder, which is a hassle, or create a manual blacklist. Is there a better way of doing this?
Jamal
35.2k13 gold badges134 silver badges238 bronze badges
asked Feb 26, 2013 at 0:59
-
\$\begingroup\$ I guess this is only for static pages? \$\endgroup\$Florian Margaine– Florian Margaine2013年03月01日 19:34:50 +00:00Commented Mar 1, 2013 at 19:34
-
\$\begingroup\$ Only for pages that don't require additional parameters (for example "About Us") \$\endgroup\$SomeKittens– SomeKittens2013年03月01日 19:45:21 +00:00Commented Mar 1, 2013 at 19:45
1 Answer 1
\$\begingroup\$
\$\endgroup\$
Here are some examples of how most apps do:
- Apache renders everything in the folder. If you want to hide access to a subfolder, you do that with an htaccess in this subfolder.
- Define each route yourself. This'd mean having a whitelist in your case. (In some array or something.)
- Keep the routes in the database. This allows you to handle permissions easily.
I haven't often seen the blacklist way. Why? Because of a simple security principle: blacklists may accidentally treat bad input as safe.
answered Mar 1, 2013 at 19:55
default