(Dot)Liquid: is assigning view model properties or calling view model methods possible?

Question

This is a question about the safety of Liquid, with the DotLiquid library.

Suppose my view model is something like following (pseudocode):

class MyViewModel
    public string MyField
    public string MyMethod()

...and a MyViewModel object is passed to the Liquid template, where MyField is set to be accessible from within the template (so the template can read its content).

1. Can MyField be assigned to? I.e. can the template modify the contents of the view model?
2. Can MyMethod() be called? No "MyMethod" member is configured as being accessible from the template when rendering it.
3. What would happen if the "MyMethod" member would be configured to be accessible when rendering the template? Are method calls possible from Liquid templates?

My assumption is that the answer is no to all of the questions but I'd like to be sure.

Thank you.

Answer 1

1. No, MyField can't be assigned to. In fact, it can't be accessed at all - only public instance methods and properties are accessible in DotLiquid.
2. It depends how you "register" this view model with DotLiquid:
   • If the view model inherits from DotLiquid's Drop class, then all public instance methods and properties will be accessible.
   • If it doesn't inherit from Drop, then you'll probably be using the Template.RegisterSafeType(Type type, string[] allowedMembers) method, which requires you to tell DotLiquid which properties and methods can be accessed (using the allowedMembers parameter).
3. Yes, method calls are possible, but DotLiquid only supports parameter-less methods.