You are on page 1of 10

Enforcing Strict Model-View Separation in

Template Engines
Nominated for best paper

Terence Parr
University of San Francisco

ABSTRACT derive entirely from a single principle: separating the specification
The mantra of every experienced web application developer is the of a page’s business logic and data computations from the speci-
same: thou shalt separate business logic from display. Ironically, fication of how a page displays such information. With separate
almost all template engines allow violation of this separation prin- encapsulated specifications, template engines promote component
ciple, which is the very impetus for HTML template engine devel- reuse, pluggable site “looks”, single-points-of-change for common
opment. This situation is due mostly to a lack of formal definition components, and high overall system clarity.
of separation and fear that enforcing separation emasculates a tem- I have discussed the principle of separation with many experi-
plate’s power. I show that not only is strict separation a worthy de- enced programmers and have examined many commonly-available
sign principle, but that we can enforce separation while providing template engines used with a variety of languages including Java,
a potent template engine. I demonstrate my StringTemplate en- C, and Perl. Without exception, programmers espouse separation
gine, used to build and other commercial sites, at work of logic and display as an ideal principle. In practice, however,
solving some nontrivial generational tasks programmers and engine producers are loath to enforce separation,
My goal is to formalize the study of template engines, thus, pro- fearing loss of power resulting in a crucial page that they can-
viding a common nomenclature, a means of classifying template not generate while satisfying the principle. Instead, they encour-
generational power, and a way to leverage interesting results from age rather than enforce the principle, leaving themselves a gaping
formal language theory. I classify three types of restricted tem- “backdoor” to avoid insufficient page generation power.
plates analogous to Chomsky’s type 1..3 grammar classes and for- Unfortunately, under deadline pressure, programmers will use
mally define separation including the rules that embody separation. this backdoor routinely as an expedient if it is available to them,
Because this paper provides a clear definition of model-view sep- thus, entangling logic and display. One programmer, who is re-
aration, template engine designers may no longer blindly claim en- sponsible for his company’s server data model, told me that he had
forcement of separation. Moreover, given theoretical arguments 3 more days until a hard deadline, but it would take 10 days to
and empirical evidence, programmers no longer have an excuse to coerce programmers around the world to change the affected mul-
entangle model and view. tilingual page displays. He had the choice of possibly getting fired
now, but doing the right thing for future maintenance, or he could
keep his job by pushing out the new HTML via his data model into
Categories and Subject Descriptors the pages, leaving the entanglement mess to some vague future time
D.3.4 [Programming Languages]: Processors—Code generation; or even to another programmer.
D.2.11 [Software Engineering]: Software Architectures—Domain- The opposite situation is more common where programmers em-
specific architectures, Patterns, Languages; D.1.1 [Programming bed business logic in their templates as an expedient to avoid hav-
Techniques]: Applicative (Functional) Programming ing to update their data model. Given a Turing-complete template
programming language, programmers are tempted to add logic di-
rectly where they need it in the template instead of having the data
General Terms model do the logic and passing in the boolean result, thereby, de-
Languages coupling the view from the model. For example, just about every
template engine’s documentation shows how to alter the display ac-
Keywords cording to a user’s privileges. Rather than asking simply if the user
is “special”, the template encodes logic to compute whether or not
Template engines, Web applications, Model-View-Controller
the user is special. If the definition of special changes, potentially
every template in the system will have to be altered. Worse, pro-
1. INTRODUCTION grammers will forget a template, introducing a bug that will pop up
The need for dynamically-generated web pages, such as the book randomly in the future. These expedients are common and quickly
description pages at, has led to the development of result in a fully entangled specification.
numerous template engines in an attempt to make web application Is the ideal possible? That is, can one enforce separation with-
development easier, improve flexibility, reduce maintenance costs, out emasculating the power of the template engine? Does a strict
and allow parallel code and HTML development. These enticing engine result in some pages that are incomputable? As usual, the-
benefits, which have driven the proliferation of template engines, ory and practice disagree. Theory dictates that a Turing-complete
Copyright is held by the author/owner(s).
template engine can generate any page and is strictly stronger than a
WWW2004, May 17–20, 2004, New York, New York, USA. restricted template engine. In practice, my experience building web
ACM 1-58113-844-X/04/0005.

this means roughly that there should be no code in HTML and no Java began supporting server development with Servlets [15]. For example. In the case of web site development. Perl. a template is an HTML file that a de- String name = request. HTML in code. Sec. out common code and HTML. HTML files with signers can easily factor templates into various sub-templates embedded Java code. Sections 7 and 8 define strict model-view separation and of a data set and be totally divorced from the underlying data com- how to avoid entanglement. though all the concepts apply to thought and mechanism. just about every template engine repeats able through the appropriate choice of template constructs. For the past five years. with JSP. which makes it hard for programmers to factor that one only needs four template constructs: attribute reference. After departing from JSP.servers. clude file is a poor substitute for class inheritance. clarity: a template is not a program whose emergent behav- out. the business logic is located entirely in the data model. <%=request. In practice. JSP files may start out as HTML files with simple references to On the other hand. out. template designers risk entangling template and busi- ness end in . out. most fail to address the primary reason why JSP is a dis- tions 5 and 6 formally define templates and three restricted template aster for large systems. Generating dynamic pages implies a server no longer maps a URL to an HTML file on the disk. but that it is realistically achiev.println("<h1>Servlet test</h1>"). graphics designers also cannot modify JSP files. JSP files are essentially inside-out servlets. To im. templates and. gies to solve very real design issues. (usually less expensive) designer building the templates. into programmers’ minds. here is the core of a simple servlet that generates a page saying 1. division of labor: a graphics designer can build the site out. Most importantly The trick is to provide sufficient power in a template engine with. 3. such as jGuru. MOTIVATIONS FOR SEPARATION chunk of code that spits out the appropriate HTML containing data The primary goal behind using a template engine is to separate and associated display instructions. After ex. display lists. Each specification is a complete entity. but they are still embedding HTML all through their signer operate independently from our coders. Hunter [5] summarizes a few other conditional template inclusion based upon presence/absence of an problems with JSP such as JSP’s inelegant looping mechanism to attribute. Finally. encapsulation: the look of a site is fully contained within “hello” to the URL parameter called name. out. they are not JSP lets by the server. JSP pages may amining hundreds of template files used in my sites.1 A template should merely represent a view classes. At jGuru. I will describe the evolution logic and data computations from the display of such data in both of Java engines in particular here. Section 9 demonstrates the putations whose results it will display. programmers can try to factor out common HTML without having to talk to a programmer. For exam- ple. I have essentially <h1>JSP test</h1> Hello. and cannot be written by a graphics designer. <body> tion and sufficient power. While JSP was not the answer. Here some really good reasons why programmers which amounted to methods that respond to HTTP GET and POST and designers want the separation: commands by generating HTML via print statements. component reuse: just as programmers break large methods Pages (JSP) [6]. Section 3 explicitly states designers are forced to imagine the emergent behavior of a program the benefits of separation. Section 4 shows how the model-view. rather than looking at a page exemplar. I conclude not be subclassed. Section the mistakes of JSP. this anec- dotal evidence does not prove my restricted engine is sufficient. ior is an HTML page. programming language embedded in HTML. de- ward. I’m unconvinced a designer will need tangled code and HTML specifications like Servlets. tem. which at first glance seemed to be a big step for. as in this example. JSP encourages bad object-oriented design. then.println("<html>").com (110k lines). The next stage of evolution was the introduction of Java Server 4. The same “hello” page looks like the following files at all. an in- out providing constructs that allow separation violations. down into smaller methods for clarity and reusability. signer or programmer can read directly. plate application to a multi-valued attribute similar to lambda func. EVOLUTION OF TEMPLATE ENGINES should be avoided."). The following section details why such entanglement 2. If the template language is StringTemplate engine solving some nontrivial HTML tasks. JSP files are automatically translated to serv. Unfortunately. actions. and so on. but they quickly degenerate into fully en- sin(x) via a Taylor HTML output elements into Java rendering objects like Table and we repeatedly verified our ability to have our graphics de- BulletList. As with JSP. "+name+". recursive template references.println("</body>"). servlets. they provide a Turing-complete tool-specific 2 describes how template engines evolved from previous strate. . rigidly </html> avoiding logic and computation in my templates.getParameter("name"). it did put the idea of a template tions and LISP’s map operator. A template is an HTML document with My goal here is to show that strict enforcement of separation is “holes” in it that can be filled with data or the results of simple not only a worthy design principle. by reducing communication costs. likewise. but error-prone. 2. we left the page names for in JSP: backward link compatibility. and most importantly. templates in parallel with the coders’ development efforts. 1 While the page URLs at jGuru. Still.println("<body>"). the ability. VisualBasic. while most template engines can approximate data.println("</html>"). Instead the server must map URLs to a 3. too powerful. controller pattern very naturally applies to server design and how it While template engines have fixed some of the annoying issues helps visualize separation of logic (model) and display (view).println("Hello.getParameter("name")%>. designers can tweak the prove the situation.jsp. conducted an experiment in software design while building sites </body> and tweaking my template engine called StringTemplate. provides strong evidence <html> that programmers can in fact get the best of both worlds: separa. out. This reduces the load on programmers not only by having a The problem is that specifying HTML in Java code is tedious.

Logic in the template extracted and refactored as a single method in the model. troller represents both the server’s dispatch infrastructure that maps a URL to a code snippet and the code snippet itself. and action expressions. dictating when a not be reused with other data sources. The view should only specify how to display data processed by troller which template group to use when displaying pages. T . them from the view is clear. the page may include some data processing specific to that page. single-point-of-change: by being able to factor templates. Having a single place to change a single be. but effective attack in the form of an infinite loop. Strictly Where to draw the line between the controller and model is some- isolating the model from the view and disallowing control times fuzzy and depends on the application. hence. Programmers often view strict separation as costing more time and hassle. A how every list of users. a section. the page triggers actions in the model. For example. If there are no ei in T then T is just a tive of these arguments. If the page is the target of an HTTP POST larger items like user record views. computations. programmers cannot agree precisely where to draw t0 e0 . appropriate data from the model. bookstore application or a forum hosting site? ple. in their views. After suf. For ex- is to be avoided because “is admin user” logic is repeated in ample. “register and send email. a page can do simple filtering of data (probably using a many templates. equals security.tnt ene the lines separating the three realms. I have seen stu- template changes do not require restarting a live. squarespace. session. most of the business D EFINITION 1. A mailing list thread from where any ti may be the empty string and ei is unrestricted compu- 2002 entitled “separating C from V in MVC” [12] is representa. mean- made available to bloggers but. the controller should be as lightweight as pos- on. One could also imagine a sim. formal treatment will provide a common nomenclature and a means of classifying template engines and their generational power. as championed in this paper. navigation bars.. change to the schema forces changes to all SQL spread throughout 7. the con- template. is an alternating logic. The model also encap- collection of templates called a group. TEMPLATE DEFINITION new piece of data to a view. plate change not a program change. “state” (the persistence layer such as a database). recursively enumerable languages. sible. like macros in Microsoft Word. each site look is a objects and relationships between objects. interchangeable views: with an entangled data model and pages and views. such as adding a 5. such as gutters.. appears on a site. In the future. could the template be reused it in a to using StringTemplate. Any quire recompilations and restarts. MODEL VIEW CONTROLLER PATTERN Fundamentally. Entangled templates tend to be difficult to factor and can. At the coarsest rendering the template. page’s code is executed. shockingly. While the notion of a template is straightforward. A simple pointer tells the page” erences and font sizes). robust and. boundaries between controller and model are usually blurred. to change or other processing page. Some groups are switched from using Velocity [19] a list of elements in a table. The various page code snippets are also part of the controller and should limit their activities to pulling the 5. Hunter [5] lists this as one problem with the template code specifically because of the significant benefits listed in this engine market. and always much riskier than changing a template. currently- dent projects and commercial programmers’ applications with SQL in-use server application whereas code changes normally re- statements in their controllers and. security: templates for page customization are commonly specifications. an output template differs from a program that generates output in that the template is an exemplar whereas the The well-known model-view-controller pattern [9] applies nicely to program’s computation results in the output. The view should not be part of the program. ing that it should not alter the model nor process data.” At jGuru. . general purpose filter mechanism provided by the model) but an operation like “process forum entry submission” should be coded 6. A good test unrestricted templates pose a serious security risk. but designer simply changes one template file. and the model represents an application’s data (the “state”). search box. and so In my experience. A template is an out- web server design and identifies three general “realms” where var- put document with embedded actions that the engine evaluates when ious pieces of the page generation process belong. t0 . maintenance: changing the look of a site requires a tem- in the model and merely invoked by a processing page. and any model-related computations. A graphics de- signer should feel very comfortable writing and manipulating view 8. data lists. of how well the view is isolated is whether or not the view could fering numerous attacks related to bloggers invoking class be used in another application. In addition. The controller acts like an event manager. if a template displays loaders. the designer cannot easily swap in a new look for straction anyway. or parameters then push- the designer can abstract out small elements like links and ing that data into the view.. my experience is that projects progress A literature search does not reveal a formal definition of a template much faster in the long run and result in much more flexible. ei : Unfortunately. for example. ti . may generate the possible is a worthwhile ideal to strive for. a model should process raw database data into such things as site “skins. A JSP file is example of an unrestricted level. indeed. An unrestricted template. This uncertainty arises mostly because the single literal. tationally and syntactically. quences of method calls to the model from a page should also be havior in the model is also important. the view represents a page’s template or templates. SQL tables are rarely the appropriate level of ab- display. An unrestricted template is equivalent to an un- simple and free from entanglements with model and controller as restricted Chomsky type 0 grammar and. list of output literals. but the line separating structures. This also avoids in general it is best to factor out code from the page into the model the errors introduced by having multiple places to change a that affects the model or embodies a common operation.ti ei ti+1 . 4.. While this may be true in the small. the model and made available by the controller. sulates commonly-executed operations such as “purchase book” or ically different (as opposed to just changing some color pref. Changing a program is The model contains all of the business logic. there is widespread agreement that keeping the view as T HEOREM 1. In contrast. Long se- single behavior.

Imagine a designer wants verse relationship between power and template suitability for non- to factor out a list item template called item: programmers such as graphics designers. type 3 regular grammars [16].%]. XML document definable with a DTD. That is a template must becomes to a Turing-complete language. The second symbol. One of the biggest entanglement problems faced by unrestricted <li>$attr$</li> templates is that a template can affect the model. XMLC [2]. the ited to generating text. the similarity to generational grammars leaps stating explicitly that unrestricted templates are the most powerful out. ”. over a set of attributes and literals: ai and ti . may generate the type 0 lan. easier way to think about regular templates. The template class. erence a. as shown in section using HTML::Template [18] that generates an HTML body: 8.. Templates may iterate albeit declarative in nature rather than imperative. A regular template may be the empty string.ext=5322).. The more powerful a template. ing to the Chomsky type 1.. This connection chine can compute). a template could specify that the color of a table row i be a function of sin(i) with sin(i) being computed P ROOF.3 generational grammars [1]: context- sensitive. a. References to undefined/unset guages all by itself. it is part of the program. must be a reference to a uses the HTML SPAN tag: regular template. hence. by this definition of a template. therefore. multi-valued like as [Jim. but it is worth prevent side-effects. generates a <br> separated list of users: tions. Frank. therefore. The first symbol is either a literal t or an attribute ref- guage’s lexicon in order to conform to L. In practice. many following example. Further there is an in- be invoked at a non-right edge position. yields some interesting and useful results by leveraging work from Generating a document in some language L may require multi. Once templates are restricted to operate on a set of attributes to This result is self-evident and not very interesting. using a Taylor series approximation coded inside the template it. They can also use context information to al- T HEOREM 2. fact is that these minimal templates can do a lot. Here is a template for an assignment tree using (an exper- ( $names "<br>" )+ imental version of) ANTLR’s [14] LISP-like tree notation: #(ASSIGN <ID> <expr>) where the (. nested templates. enforces strict separation of model and view. like 4521. John]. P ROOF. A regular template is restricted to 0. sheets are not templates at all because style sheets specify a set of XSLT tree transformations whose emergent behavior is an XML The more common regular expression equivalent provides an or HTML document. requires relationship between a template’s power and its ability to entan- that the programmer reference another template in a loop in order gle model and view. It is satisfying to note that Most often the literals are separated lexically from the expres. but there is a direct To apply a template to each name in the list. or  where τ is <p>Hello <SPAN id="user">Sample name</SPAN>. plate with the power of a context-free grammar can generate any sentences of L. tτ . attributes evaluate to the empty string. The surprising are specified with a textual specification. formal languages. For example. XSL style sheets are programs like servlets. individual literals ti and the output (DTDs) are essentially context-free grammars [8]. thus. A template can then apply the item sub-template to each that are computed by the model. before generating text. gates like (name=Tom. anything a Turing ma. grammar and templates are productions (rules). Attributes may be single-valued attribute in names with the following StringTemplate notation: . templates are not lim. 1. Attributes are just the terminals (vocabulary) of a generational and can generate any desirable output (i. templates are of the form t. a tem- of individual templates may or may not conform to L or even sub. and regular. For example. For example.e. symbols. computable function. This section defines restricted classes of templates correspond- <p>Hello. If a template can modify the model. [% user %]. here is a simple template can generate XML documents and by design. RESTRICTED TEMPLATE CLASSES #end Unrestricted templates are extremely powerful. Let’s start with the weakest where t0 = “<p>Hello. XSL [20] style trees. D EFINITION 2. e0 = “$user$”. Mirrors proof of Theorem 3 for context-free templates. the closer it to apply the template to the list elements. whose values are computed and filled in before lowing Velocity [19] template: constructing the tree. in this case. methods). just restrict the derivation tree shape to have rule references and self. Attribute and template references are Unrestricted templates can alter the model and can compute any side-effect free.. separating where $attr$ is a reference to the attribute to which item is being model from view should begin by restricting a template to oper. it may em. Regular templates generate the regular languages.)+ “one or more” operator would know to walk through the multiple values of the names attribute. context-free. For example. engines would actually use a FOR-loop type structure like the fol- <ID> and <expr>. a very simple template engine emulating a push down automaton sions with special symbols. In other words. a template reference action. or 2 A template may encode expressions using the surrounding lan. however. if present. applied ($attr$ analogous to the this pointer in object-oriented ate on a set of incoming read-only data values. aτ .”. in the pseudo-regular expression notation of a source-to-source translators perform a series of tree transforma. XML document type definitions ple. corresponding template references only at the right edge of sub- Interestingly. just because templates loop over a multi-valued attribute to display lists. expressions are embedded between literals and lexically-delimited via [%. Most template where ASSIGN is a literal root with two expressions for children. For example. called attributes. Because ei is unrestricted computationally. .. ter the output. #foreach( $n in $names ) $n<br> 6. or aggre- body a Turing machine and. fictional template engine. and t1 = “.. templates It is worthwhile to point out finally that. For example.

it’s part of the program.<ul> the unrestricted class in practice. do not consider an engine’s expressivity and Therefore. If the a template augmented to allow template references or inclusion of template can modify the model. recall that parsers for most programming languages are im. however. template engines nal references at the leaves and nonterminals at the subtree roots. To get an idea of the generational power of context-free gram. In the next section. Before formalizing my intuition. I cite the 29 parameters to Linux’s copy program. My goal conforming to the syntax of common programming languages. Most engines provide only. a template engine provides tasty icing on the same old stale generators. how well it enforces separation. A model is encapsulated if all logic and com- In practice. My approach to defining separation is to first dictate generally which pieces belong in the model and which in the view in order to By limiting predicates to operations on ai and surrounding tem. gramming language or tool. of execution is important. it probably is. tions are limited to referencing attributes. a context-free template is sufficient to generate output power. side-effect free. Then. are numerous seemingly- P ROOF. By equat. what if the designer needs to alter model and controller. D EFINITION 5. there are output languages that reg. A context-free template is a template whose ac. ai and templates. Milton and Fischer [11] claim $names:item()$ an analogous result that their predicated LL(k) parsers are Turing </ul> complete because any predicate is Turing complete. since we know from formal lan- guages [16] that there are languages that are inherently nonregular. but these templates are of theoretical interest only. organization of dynamic pages at the cost of learning a new pro- mars. cient power while ruthlessly enforcing separation even though it is free grammars. the model. Actions are side-effect free. structure. they more often value pow- erful functionality and amazing “one-liners. attribute references. to violate separation either unwittingly or as an expedient. predicates are limited to testing grammatical concerning the interaction of model and view that prevent entan- context. there. I suspect one could show an exact equivalence to the glement. rather. For example. should only appear if the parent menu is active. Notice what this does not say. losing all benefits of separation of literals. and template references. Context-free templates generate the context-free database! These are obvious cases where the view has merged with languages. The view is not precluded from fore. Model . Once in the model. in general. hence. Due to lack of formal definition of separation. it’s part of the ai and the template tree structure itself.and LR-based parser tion. as DTDs are context. In a template. Then in Section 8 I show which regular template. context-sensitive grammars given the proper computation limita- tions on actions. A provide functionality that allows programmers to violate separa- subtree corresponds to a rule application and has children that are tion routinely and. with a completely different model? Could a designer understand plate augmented to allow predicated template application. cake. SGML DTD may indicate when a named element may appear or This section lists the rules that ensure separation of view from not appear [8]. an annoying sometimes. Consequently. that is. the template is a program. A context-sensitive template is context-free tem.” engines support attribute references to nonterminals. power. I kept a few simple rules and tests in mind to evaluate entanglement. harmless and improper uses. Actions and predicates are program. If a context-free James and host is wraith”. A as an example. template power moves directly from the context-free class to computing sin(i) for row i in the template. Allowing context While a programmer or designer may follow these rules using any to dictate when a template element may appear adds a great deal of template engine without relying on enforcement. described above. complexity. Existing templates engines burst with features and context-free template may be empty. If order subtemplates only in certain grammatical context. cp. make them self-contained or encapsulated. ular templates cannot generate. I define the rules plate tree structure. A template that supports general references to other templates cor. it is best to avoid entanglement by performing all com. over the past five years building sites as well as the template engine Of more interest to the reader is that context-free templates can that drives them has been to toss out the stale cake. While programmers value simplicity. (sketch) One can show equivalence of a context-free innocuous template features that entangle the view with the model grammar’s derivation tree for any sentence to a nested template tree just as effectively. Predicates operate on has computations or logic dependent on model data. FORMAL SEPARATION responds to the context-free generational grammars. providing suffi- generate any XML file conforming to a DTD. template engines do not solve the prob- either terminals or other nonterminal subtrees. which leads to egregious violations such as “if user is alent template for a derivation tree and vice versa. template classes inherently enforce separation by design. Without strict enforcement of separa- plemented via grammars accepted by LL. If the template tribute references and template references. this template? If it looks like a program. While many template features have both template is equivalent to a context-free grammar. Beyond the obvious. computations are unrestricted. derived from an academic’s eye slugging output based upon context information? For example. it requires ex- generational power and brings us to the context-sensitive template treme discipline and exacts a high cognitive load. Actions are at. putations in the model and pushing results into the template via attributes.” incurring the cost of D EFINITION 3. one sees that there is always an equiv. Some [10] have tags built into the view that let programmers send email and most others even provide (indirect) SQL access to a T HEOREM 3. If types are important. The derivation tree for a context-free grammar has termi. a submenu through the development of a large commercial server application. I lay out the strict rules of separation and il- While one can express this particular output language using a lustrate illegal template constructs. Consider. A template is a list lem that drove their development. these features will inevitably be used erates the context-free languages. Could I reuse this template D EFINITION 4. to support harmless functionality ing a template’s attributes and literals to terminals and template such as “make all negative numbers red. admittedly useful and convenient. it’s part of the program. which are subsets of the context-free grammars [17]. for example. value testing. 7. What about SGML? With its DTD exceptions. putations dependent upon data values are done in the model. the template gen. class analogous to the context-sensitive grammars.

” So. correct views. the right level of abstraction is usu. these rules refer to not only direct model putations that are dependent on model data. strict separation has widespread plates? Strictly speaking. the URL structure of a site belongs to the implications about what can and cannot be done in a model and controller and should not be referenced as literals in templates. but can </body> </html> test the properties of data such as presence/absence or length of a multi-valued data value. Here. use a push strategy. but such references a list of names from a database and display them. which a 4. an unrestricted template may pull from a data model via functions. The following template data references must be order-insensitive. This rule arises partially because prints the number of elements in the list. See Section 7. afterwards it must be side-effect free. Now. The only way to computed in the model. In know what to pass is unrealistic. $model. a template can access Consider a simple HTML page where the application needs to pull data from the model and invoke methods. if the view cannot modify the model and the view makes no assumptions about the types of model data. data from the model must not contain display or layout information. what $bloodPressureOk!=null if the designer wants to have the number of names in the <title> Template output can be conditional on model data and com. The view further cannot call methods with arguments be. This definition is distilled to the essential restrictions prevent. Expressions in the view pute and return the number of names. of the page? That is. indexing such as colorCode[$topic] and $name[$ID] To avoid data reference order dependencies.90”.1. the view cannot compute book sale <p> prices as “$price*. The model cannot pass any display informa. the view cannot make data type assumptions. the list and its length are available and ing a boolean such as getNumberOfNames() can simply return the number. Model and view are strictly separated if both #set interestRate = interest*100 are encapsulated and. This rule forbids array model will inevitably and secretly break some site pages. Because getNames() was must be replaced with a test for presence of a value simulat. this simple data reference move in the template. By dependent values.getNumberOfNames() names. but in practice. the conditional just has to be computed in the model. pendency graph caused by model code changes can break previously- pear: If a template assumes $userID is an integer. for example. functions. which is very difficult for dynamic web sites.1 Pull Strategy Violates Separation model that cause side-effects. what if getNumberOfNames() must be called putations. $model. pulls data from the model: 2. merely treated them as objects. money. Tests like where $model. D EFINITION 6. but more subtle type assumptions ap. A template uses the pull strategy if any data tion to the view disguised as data values. at worst. an exception. used by the template is computed prior to template evaluation and ment type. changing the model without breaking the template.065 #endif D EFINITION 7. data references like $user or $model. remove this order dependency is to make getNumberOfNames() ally something higher level such as “department x is losing call getNames() also. Besides graphics designers are not programmers. variables interest and interestRate depend on model data value $risk. There were $model. changes in the de- is a date.encapsulation simply means that the model must contain all com. 1. Similarly. The must be moved to the model as doctors like to keep reduc. 3. What about URLs? Is it proper to hard code URLs into tem- ing entanglement. expecting them to invoke methods and Attributes are “pushed” into a template like a stream of tokens. unless one could guarantee the model method is available as a set of attributes ai . contrast.5 ) will be displayed by the view. further. At best the template Even simple tests that make negative values red should be gets an invalid number. . Dependencies can clearly sneak up on you. For example. the view cannot compare dependent data values.08 There can be nothing in the model that indicates how the data #if ( $risk < 0. 5.getNames() invokes a method on the model that $bloodPressure<120 computes the list of names and pulls it into the template. the view cannot modify the model either by directly al- tering model data objects or by invoking methods on the 7. here are the rules implied by The next section describes how a common strategy for template strict separation: data access is inherently unsafe. D EFINITION 8. invoked first. #set interest = 0. D EFINITION 9. information is specified in the view. template. A template uses the push strategy if all data cause (statically or dynamically) there is an assumed argu. This includes not used by the template is computed on demand by invoking model passing the name of a template to apply to other data values. first? The model has not yet computed the list.getUser(). the view cannot perform computations upon dependent <html> data values because the computations may change in the fu. A view is encapsulated if all layout and display For example. providing hidden “land mines” for the template designer to step on inadvertently. In more concrete terms. the pro. Unless a development team has extremely good test- grammer cannot change this value to be a non-numeric in the ing. but also to lo- cal template variables altered by logic dependent on model data. #set interest = 0. That is. <body> ture and they should be neatly encapsulated in the model in Names: any case. Some type graphics designer would make without thinking. forces a dramatic assumptions are obvious when the view assumes a data value implementation change in the model. To be independent of the model.getNumberOfNames() reference asks the model to com- ing the max systolic pressure on us.getNames() <p> the view cannot make assumptions about the meaning of data.

A more sophisticated version When evaluating template engines. ENFORCING SEPARATION deed they are. It application can. but programmers can always compute whatever they The rules of separation are strict. templates beyond context-free templates into the context-sensitive range. These restricted IF constructs definitely pull independence rule for the arguments. For example.. Tea. In contrast. PTG. and Mason. it without violating any rules of separation. With just FreeMarker has an entanglement index of 5 because it allows attribute reference. an is also com- no computations. and JSP Tag Libraries. more importantly. A template engine’s entanglement index is the naturally are just another scope of attributes sent into the subtem- number of separation rules that a template may violate. a template. To puted before the template generates any output text. This section mirrors the evolution path fol- In the worst case. 7. often depend on the values of other attributes. but my intuition is that there are lots of undecidable prob- not depend on itself. To preserve correctness (to be safe). WebObjects. bold would be applied to each element in the list [18] and XMLC [2] have an index of 1. all use an analogy from chemistry. far-reaching. Hence. The parameters D EFINITION 10.. The graph is checks in an attempt to catch violations and warn the program- acyclic in order to be well-defined. is attribute value Red a color or a man’s name? P ROOF. there does not seem to be a middle ground. Do we need more power? That is. allows us to relate templates to formal To compute an means the model must compute all other attributes language grammars. template application. As a trivial example. for example. Model data values. Velocity. Add recursion so that a template can invoke itself directly or in- ColdFusion. simulating tremely confining. aration by design and has the minimum index of−1 : ues called attributes. bold: imum index is 1 because there is no way to prevent attributes from <b>$attr$</b> containing display and layout information. violating rule 2. The min. an engine must violate the type violate separation. a gutter and. This $endif$ implies adding engine features is a “slippery slope” and must be The <h1> tags should appear only if the title attribute is present. A StringTemplate makes it impossible to violate (decidable) sep. do we need the power of Struts. In- 8. While working leading to the equivalent operation: name:bold(). and ensures tem- first thing in the view. a directed acyclic graph. Finally. in answer . it is useful to rank them accord- of an include is a macro invocation because macros have named ing to the level of entanglement allowed by the tool. T HEOREM 4.. has no−1 and plates cannot modify the model. → an−1 → an erate purely on attributes.. Pull degenerates to push in the the surrounding template. provides data reference order independence to preserve correctness. this template allows then an . context-sensitive templates? Context-sensitive templates are useful tanglement index because it is not itself a template engine. but how far? Surely full expressions are more powerful. I found that only HTML::Template multi-valued. the following resulting in another list of. so engines can support includes. Velocity. separation principle. Because the designer might request an since data references cannot have side-effects. Attributes are inert stones dropped in a soup. it is likely that the separated model- impossible to police the incoming attributes to determine whether view duo is as powerful as an unrestricted template. That is. one could retrofit unre- tributes.. generate any XML document that has a DTD allows business logic in the template. A Struts-StringTemplate duo could literals (or subtemplates) such as prove a useful combination. This template engines have entanglement indices greater than 1: Tapestry. a regular template. done with care. it must violate A template can only test the presence or absence of attributes others. slight notation change allows “template application” functionality. a popular web application control framework. attribute ai can- mer. UniT. A document with attribute references is worst case. thus. construct eliminates the need for explicit FOR-loops. want in the model and set an attribute or leave it empty. If name were on a template survey paper. FreeMarker. A better approach is to start with an overly-restricted tem- may not request attributes from the model in an order that violates plate and gradually add power ensuring constructs adhere to the a dependency in the graph. directly and the template arrives at the context-free class.5.2 Entanglement Index Factoring a large template into subtemplates is useful and clearly safe. an arbitrary method calls into the model. and template recursion. Template Toolkit. data should mix and not react with attributes are computed a priori. and seemingly ex. consider defining a template called 5 separation rules and therefore the index runs from 1. attributes like LISP’s map. allows computations on attributes. hereafter referred to simply as at- As for the other four separation rules. I have <h1>$title$</h1> concluded that engines are polarized either at index 1 or 5. By definition. the view lems. parameters that fill holes in the included template. For example. the model must first compute a1 . The template can call bold like a macro: bold(attr=name). $if(title)$ Interestingly. This single assumption. If an is the first template expression e0 . for handling conditionally included JSP. hence. DAG has a unique order. it is for tasks such as switching in a logged in or logged out version of designed to work with other view systems like XSLT. to allow method calls to the model (potentially rather than full expressions because tests against attribute values violating the side-effect free rule). A safe pull strategy degenerates to push in the a model or controller is passing display information or links into worst case. violating rules 1 and 4. that templates op- a1 → a2 → . These de- stricted template engines with a combination of static and run-time pendencies form a DAG. Once an engine allows a violation. There are plate. indirectly mer or designer can stick single or multi-valued read-only data val- an depends on all a1 . violating rule 3. altered. an engine can enforce all rules except for one: it is computations in the model. the topologically sorted attribute dependency lowed by StringTemplate. Two questions immediately come to mind: 1) a boolean with the same result as if they had computed the expres- can we enforce the rules and 2) is the resulting template engine sion in the view. the DAG forms a chain where Start with a text document filled with “holes” where a program- attribute ai depends on ai−1 (ai−1 → ai ) and. So. useful? By adding an IF construct that can test results of unrestricted In principle. WebMacro.

First. For other programmers have moved to new template engines in the first place attributes. vor. wrappers might delegate to standard Java libraries. the renderer decides whether to render installing accelerometers the wrong way during a rocket sled test. many people fried their keyboard by acci- To solve the HTML character escape paradox. in the case correctly by design. accounted for in the minimum where that computes HTML escape sequences because the compu- entanglement index of 1. StringTemplate evolved from a sim- the controller from having to specifically wrap attributes. knows- form routine operations like escaping strings. much to my surprise. exemplifying a common class of rendering operations such erly worded disguise. consider that for every integer at- programmer could alter the HTML renderer or attach a ”malicious” tribute passed to a template.”. the template engine implicitly calls renderer that altered a specific model’s posed the narrow conduit of the toString() method without violating a seemingly unresolvable conundrum for an engine enforcing sep- model-view separation. is concerned with converting attributes (or. When the tem- ior even if the imposed restrictions chafe a little. Technically a To expose the silent partner. using templates or otherwise. The themselves with the toString() method. on the or do the expedient thing. perience building commercial sites including jGuru. It makes sense to encapsulate outwards from safety. nectors were identical. and comparable problems.. opening a potential loophole for violations of as string abbreviation. formalizing the ren- with text. Second. and so on. what color it is. While functional programming languages have never been my . Some readers will argue that the MVCR pattern is merely a clev- “&lt. information. Asking an attribute to render itself fits nicely within our object. It turns out that there is a silent partner in the MVC such as HTML to be supplied with an engine. one should consider factoring out tation cannot be done in the template. The is to avoid the entanglements found with original systems like JSP controller acts like a station in an assembly line from the model to and the dates. templates may access unrestricted rendering computations performed in the renderer via Benjamin Geer [4]. The main reason plate renders to text. yielding achieves essentially unrestricted power without violating any rules the MVCR pattern. it cannot constitute erations properly belong. I submit that re-implementing JSP and adding a com- the view that adds a paint job to certain objects. but that risk already the attribute’s toString() method with our tacit approval. ibility in order to enforce valuable principles depends on their ex- There is a subtle. and case conversion. troller can simply wrap string attributes with an object whose It is wiser to enforce rather than merely encourage good behav- toString() method escapes special characters. Besides. such as the java. recall computers in the 1980’s where the keyboard and modem con- whether it is a link.2 Enforcement vs Encouragement (model-view-controller-renderer) where the renderer encapsulates Programmers crave flexibility. The to my principles. Because the ren- pattern at work already where these types of attribute rendering op- derer will not be part of a specific application. The model-view separation. how big it is.” is clearly display potentially contain code that modified an application’s model. perhaps suggesting a more complete design pattern name when referring to HTML page generation: MVCR 8. embody an aspect [7]. though. the original author of FreeMarker [3].to the second question regarding usefulness. STRINGTEMPLATE Each template may have its own renderer. a renderer could plate without violating separation because “&lt.1 Attribute Rendering testing the presence/absence of an attribute. aration. If they have derer. often relieving pam. Consider the escape of “<” characters to HTML format. then. has a distinctly functional programming fla- oriented mindset and establishes a boundary that cleaves the con. they will fight to make mechanisms work other hand. the constituent components) to displayable strings can be done wrong. fact that this class can be reused with just about any web applica- tion lends credence to the fact that the rendering code is not part of a particular application’s model. yes: a model-view duo ventional view component into both view and renderer. Just as a template may access an unre- stricted model computation through the decoupling mechanism of 8. In addition. for dealing completely avoid HTML in code. Since neither the model nor derer and encapsulating rendering operations into an application the controller may contain this computation. Remember that Murphy’s original over many years of ex- locales. an entanglement of an application’s model and view. necessary operation? Preventing abuse of this mechanism is undecidable and engines al- The inescapable fact is that there must be some Java code some- ready take a hit for this vulnerability. it will be done wrong. etc. Either integers get con- template also may not invoke a method on the model that computes verted from 32-bit binary words to strings of digit characters or escaped strings. Java already pro- HTML literals even in the renderer into fine-grained templates to vides heavy support. jGuru. Whether they sacrifice a little flex- the conversion of objects to displayable character strings. For example. say. and antlr. the code must exist independent service allows the renderer for a given target language elsewhere. The exists: someone could easily alter the source for a strict engine to collection of toString() methods of all incoming attribute types allow violations. but the template decides unnecessarily stressing the test pilot’s body. The renderer. but critical distinction between view and ren- perience and philosophy derived from that experience. worse. the con- dent. “if it of aggregates. an enclosing HTMLRenderer class. thus. The reader may also where on the page the number goes. a view-renderer pair could automatically per. My philosophy with StringTemplate has been to build application embody the renderer.. adding functionality while adhering strictly wrapper objects in. A renderer will contain code using string model may not escape a data string a priori and send it to the tem- literals containing display information and. negative integers as (23) instead of -23. The controller can as. The toString() ment in the manual encouraging un-JSP like behavior is insuffi- methods in standard types and in all wrapper objects used by an cient. a common and servers cannot generate web pages. ple “document with holes” to a sophisticated template engine that. How then does one escape strings. numbers. strings will be escaped properly.text package. The renderer neatly solves Geer’s conundrum of separation.” arose from someone of characters. date formatting. The template may not examine an incoming string recognize that there is no way around allowing objects to render looking for “<” characters to do the necessary replacements. A template is mainly concerned with page and attribute lay- learned the hard way that sometimes even geniuses make mistakes out plus text properties like color and size. StringTemplate [13] is a template library carefully designed by sign different renderers in response to page requests from different myself and Tom Burns (CEO.

An engine without recursion will simply not deal naturally with recursive data structures. In addition to the power of its template expression$</td><td>$attr. StringTemplate’s language evolved naturally according to where attr is the default attribute name that varies automatically my needs: side effect-free expressions. programmers will ask how a particular engine handles some interesting output tasks. The next <table border=1> sections demonstrate how StringTemplate expresses filling a ta.. A hierarchy is . a url.3 Hierarchical menus . </table> In the gutter of the overall page template. Templates can templates she could fill in and what attributes she could reference. public class TreeMenuItem { String title. supports $aList:{<b>$attr$</b>}:{<li>$attr$</li>}$ multiple site “skins” (a skin is simply a group of templates).age$</td></tr> StringTemplate reflects my minimalist approach (its jar is about reducing the main template to the more readable: 120k with source and binaries)..url$>$attr. Rather than resort to a FOR-loop with a nested IF.age$</td></tr> list of links looks like this: }$ </table> <a href=$attr. Why would anyone ever need recursion in a template? Consider } doing hierarchical menus. list). the template needs static User[] list = new User[] { new User("Boris".. a possible list of submenu items. Without recursion. apply template menuItem to the main list of choices: apply an anonymous template to each user object: $choices:menuItem()$ <table border=1> $users:{ A non-recursive template that generates only the top layer as a <tr><td>$attr. In the fol- she was able to build multiple site looks (branding for customers) lowing example. 9. with menu has a title.. <ul> bullet item.setAttribute("users".1 Fill a table example elements.forte.title$</a> . For our purposes. The anonymous row template can also be factored out into plates accessible to my graphics designer. StringTemplate’s de. boolean active = false. The examples illustrate the two crucial features that .. accesses dence. alternating the row colors in a table. int age... assume each item in a Push the user list as attribute users into a$</td><td>$attr. The simple name <tr><td>$attr... method. <tr><td>Natasha</td><td>31</td></tr> } . be applied to the results of other template applications.. recursive) application of templates. To generate a table like this: String url. and whether the following Java code: a particular submenu is active: st. StringTemplate enforces separation of model and view with <table border=1> the exceptions that it cannot enforce the undecidable problem of $users:row()$ passing display information to the view via attributes. Imagine we have objects of type User that we will pull from a simulated database: <table border=1> $users:rowBlue(). Once our designer knew what The result of a template application is another list. alleviate the need for looping constructs and just about every other </table> common language construct: template application to a multi-valued attribute (like LISP’s map) and template recursion. each element of a list is bolded and then made a totally independently. We repeat. complicated nested FOR loops and IF structures. and generating hierarchi. just provide a comma-separated list of templates to apply round-robin to the list 9. </table> edly verified that a nonprogrammer graphics designer can operate independently from the site coders. <ul> StringTemplate promotes heavy site component reuse. }. and simplicity to make tem. say st. <tr><td>Boris</td><td>39</td></tr> . template application to a list of data objects. <table border=1> List submenu. a template called row: sign is optimized for enforcement of separation not for Turing com- pleteness nor amazingly-expressive “one-liners”. expression order indepen. nested (that the name property of the incoming User object via the getName() is.2 Alternating table row colors to be updated on a live server. as StringTemplate iterates over users. rowGreen()$ public class User { </table> String name. <tr><td>Boris</td><td>39</td></tr> ble. allows site designs 9. attr. </ul> vides template inheritance between skins so the designer can build new site skins as they differ from existing skins. 39). and alleviates the need for controller Graphics designers often format lists with alternating element back- page code to manually generate HTML or subtemplates. <tr><td bgcolor=#F6F6F6>Natasha</td><td>31</td></tr> <tr><td>Jorge</td><td>25</td></tr> cal menus. a recursive structure and cries out for recursion to walk the tree. ground color: When discussing template engines.

mirroring the relationship. Lopes. reduces maintenance costs. engines merely en. Coldfusion. [6] JSP.. lows coders and designers to work in parallel. XML DTDs and beyond into the context-sensitive and unrestricted [18] S. 1995. Wood. 1988. Matthew $endif$ Ford provided very valuable feedback on both the ideas contained herein and the source code for my engine. say. http://www. Irwin. and al. It is also against a programmer’s nature to limit functionality. the 25(7):789–810.sun. and J. Given a clear definition of model-view separation. J. Indeed the code to construct states dwarfs the tiny parsing engine. 1988. template en. the template engine is analo. volume 1241. Chomsky.enhydra. current engines provide unclear advantages over JSP (although most http://www. For ex. Also note that no display in- formation needs to be passed in as an attribute.w3. in fact. I also http://mathforum. SGML and XML document because it increases flexibility. http://html-template. numerous complicated sites such as jGuru. C. In International Conference on Automata. Kilpelainen and D. build a template engine that 2003. W. By showing the relationship between restricted templates and Springer-Verlag. 2002. Soisalon-Soininen.sourceforge. September I have shown that we can. Aspects of the Theory of Syntax. formal definition of separation nor list of rules to guide them. [7] G. Springer-Verlag. CONCLUSIONS 220–242. XMLC. Template engines 169(2):230–251. grammars. StringTemplate documentation.html. Existing engines do not enforce separation because there was no Languages. Lamping. Maeda. Private communications. ics designer not a fearing [12] Separating C from V in MVC.sourceforge. Journal of Object Oriented grammers to violate separation. Pope. 1979. fearing weak generational power.apache.$ planting the template “meme” in my head back in 1995. http://www. gine designers may no longer claim enforcement of separation with. constructs as an expedient or because of lack of experience. smalltalk-80 system. Aspect-oriented programming. The problems with JSP. Strictly separating model and view is an extremely desirable goal [8] P.macromedia. pages are simple and sufficiently unentangled to be built by a graph. Menhdhekar. Parr.html. A.stringtemplate. that enforcing separation implies a critically weak and. this recursive menu example requires context-sensitivity in order to show only active submenus. evolved in response to previous technologies such as JSP and the ilk [9] G. ample. I would like thank to John Witchel for motivating me to formalize <a href=$attr.Output might look like: I am currently investigating the use of template engines to sup- port powerful and reusable language translators for the next genera- <a href=/>home</a> tion of the ANTLR parser generator. 1(3):26–49. languages. MIT Press. ACKNOWLEDGEMENTS over the list of submenu items if that menu is active. http://jakarta. grammars and exceptions. I conclude that restricted templates can [17] S. structs. generational To handle submenus. LL(k) parsing for attributed ing web applications). Parsing Theory I.submenu:menuItem()$ Chris Brooks and David Galles for their detailed reviews. pages 10.antlr. [14] T. walking the resulting states to actually parse sentences is very easy. Sippu and E. 1997. A description of the that entangle model and view. strictly enforces all decidable rules of separation by design. http://freemarker. R. C. thus.tml. [4] B. have the template iterate (tail-recursively) 11. engines no longer have an excuse to support entanglement. [16] http://xmlc.html. I thank Benjamin Geer While the table filling examples use only context-free template con- for his review work and for pointing out flaws in my arguments. Tregar. generate interesting classes of languages such as those described by Springer-Verlag. [20] XSL style sheets. Milton and C. language parser state machine construction is not easy. Sippu and E.title$</a> my thoughts regarding MVC separation and Monty Zukowski for $if(attr. The key lesson shown in this hierarchical menu 1965. 12. 2001. moreover. given theoret- ical arguments and empirical evidence. Parser construction is analogous to the controller-model pair orga- nizing a data structure or Information and Computation. http://java. between a state machine’s [3] FreeMarker. Loingtier. gous to the parsing engine. model-view-controller user interface paradigm in the courage separation while still supporting constructs that allow pro. structure. wonder if engine designers get caught up having fun implementing [13] T. trivial engine and its highly-interconnected state network. ANTLR: A predicated-LL(k) StringTemplate is sufficiently powerful empirically to generate parser generator. Programmers will often use these Programming.-M. engines provide very handy frameworks besides templates for build- [11] D. and Programming. In Proceedings European Conference on Object-Oriented Programming. N. languages without regard to overall principles.sun. Krasner and S. Parsing Theory II. under the BSD license at http://www. Software Practice and Experience. More importantly. Parr and R. HTML::Template. pages 422–430. are easily avoided in a template through judicious choice of data. out an entanglement index of 1. . example is that messy computations and control-flow constructs [2] Enhydra. [15] Servlets. Fischer. [19] Velocity. REFERENCES Programmers often ask how to encode a complicated algorithm [1] N. but [5] J.servlets. Unfortunately. I thank $attr. StringTemplate is released <a href=/news>news</a> . [10] Macromedia. Kiczales. in a template.url$>$attr.