Custom EEx engine that only allows certain Elixir Kernel constructs.

Security + Code Injection

The general idea here is that:

1. We want folks to be able to do logic as well as field references in their HTML templates.
   • Example: <%= 1 + 1 %> or <%= if x, do: "y" %>
2. We do not want folks to be able to make system calls, mess with databases, or anything else.
   • Example: <%= File.rm "/all_your_data" %>
3. Default EEx templates are designed mostly to be used from a compiled standpoint with safe data references. Unknown user data would be a huge security hazard because code injection is 100% possible.
4. We can get rid of the bad parts of code injection by simply disabling any Elixir or Erlang module name reference, and only allowing native operators like +, if/then etc.

Module Exceptions

Currently functions from the following modules will be allowed because they're just so danged handy:

• Date
• Enum
• Jason
• List
• Map
• String

All other module / function calls, including Erlang modules (for example :sys), will return "SYNTAX ERROR" as the body text.