I want to allow the end-users of my web application to modify views (via web based back office), stored in the database. The desired view engine is expected to be code-injection safe, meaning that the end-user will be limited to the absolute minimum number of expressions available, no server code ins开发者_运维问答erts are allowed.
Is any suitable view engine available to download?
I don't know of any existing engine, but Phil Haack has a post on storing views in a database: http://haacked.com/archive/2009/04/22/scripted-db-views.aspx
That post deals with the idea of user-created views. If you want to protect against XSS-style code injection attacks, you can sanitize your HTML.
精彩评论