0

Apologies if this is a silly question, I have been passing JSON db collection objects to my EJS template code in a Node.js POST request with res.render("login", {var: object}); and am only using some of the contents of each (escaped) for my templates.

Just to confirm, is it only the final rendered contents of the template that is returned to the client or does the entire object get passed back?

example:

App.js

Company.find({companyCode: "12345"}, function(err, foundCompany){
if(err){ console.log(err); }

res.render('/login', {foundCompany: foundCompany});

Login.ejs

<p> The Company is: <%= foundCompany.name %> </p>

From a security point of view, if "foundCompany" contained alot more information I did not particularly want the user finding a way to access, is this all sent to the client on render or is it only the escaped values used which have been manipulated by the back end template engine?

LagMuffle
  • 3
  • 5
  • This has been broadly discussed on this board. https://stackoverflow.com/questions/11151632/passing-an-object-to-client-in-node-express-ejs – Michael Nelles Jan 08 '20 at 15:15
  • Sorry, After reading through that link I'm still not sure I entirely understand. While i'm using the object in the template code to change the initial display of the page (not apparent in the source once the page has rendered) i'm not trying to use it to run any other script or method. I was just wondering if the objects themselves (and all values) are actually sent to the client when used this way or is it just the completed template with the string versions of the contents I have used, that is pushed client side? – LagMuffle Jan 08 '20 at 15:38
  • My apologies if I did not understand your question. Can you modify your question to include what is inside the EJS <% %> as it pertains to the DB collection – Michael Nelles Jan 08 '20 at 16:23

1 Answers1

0

EJS creates HTML from the dynamic content you provide serverside & then returns the HTML content to the client (browser)

It doesn't matter if you pass whole json to the render method, what gets to client is only the HTML content you altered in your ejs

So bottomline, you don't need to worry about passing whole json to the render method even if you are using only some part of it, although the best practice would be to pass only the data you need to use

Sarfraaz
  • 1,273
  • 4
  • 15