Safe-by-default templates
~ 5 KiB minified + gzipped
Small, predictable templates β no code execution.
Hello {{ name | trim | upper }}!cryTemplate is a lightweight template engine with zero runtime dependencies. Interpolations are HTML-escaped by default, and templates cannot execute arbitrary JavaScript β just string magic with interpolation, control flow, iteration, filters, and HTML escaping. πͺ
Live Playground
Edit the template and data. The output re-renders live in your browser using the bundled cryTemplate runtime.
Template
Use {{ ... }}, {% if %}, {% each %}, and filters.
Data (JSON)
This JSON becomes the root scope.
Output
Rendered as text (escaped output stays visible).
{{ value }} with {{= value }}.
Features
Focused, practical templating with predictable behavior.
Safe-by-default
Interpolations are HTML-escaped by default. Raw output is explicit with {{= ... }}.
No arbitrary code execution
Templates donβt run JavaScript. No eval, no function calls β just identifier/dot-path lookups.
Minimal control flow
Use {% if %}/{% else %} and {% each %} loops for common cases. One newline after a valid %} is trimmed automatically.
Filters
Pipe values through built-in and custom filters: {{ name | trim | upper }}.
Fail-safe parsing
Malformed tokens degrade safely to literal text. Rendering should not explode at runtime.
ESM, CJS, Browser
Use it in Node, bundlers, or directly in the browser via the IIFE build.
Security posture
Designed to reduce risk in user-controlled template scenarios.
- No code execution: Templates are a restricted language, not JavaScript.
- Escaping by default: Helps prevent accidental HTML injection.
- Predictable resolution: Key lookups are restricted to object paths.
- Fail safe: Malformed tokens degrade instead of throwing.
For full syntax and guarantees, see the README in the repository.