So, I was thinking of using haml as the actual markup language for the
wiki-like-thing I'm building in rails. The syntax is simple and
beautiful, and encourages people to use css styling rather than trying
to do it by hand - which is good.
But of course, I don't want people doing Bad Things in evaled code. In
fact, I don't want them to do *anything*.
So, I had thought that
<in app/views/thing/show.haml>
#postbody= Haml::Engine.new(@post.body, :suppress_eval => true)
would do the trick.
But lo, basic testing from script/console would seem to put the lie to
that:
Haml::Engine.new('- puts File.read "/home/me/myApp/app/controllers/
thing_controller.rb"', :suppress_eval => true).render
=> "class ThingController < ApplicationController\n...
This is bad.
How am I fundamentally misunderstanding the meaning of "suppress
eval"? What *does* it do?
Apart from some tortuous gsubbing, is there no way to render the thing
user-safe?
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Haml" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/haml?hl=en
-~----------~----~----~----~------~----~------~--~---
