I think I see the issue. Haml caches templates so that it can render the
same template multiple times more efficiently. However, changing the
options /does not/ clear the cache; thus, if you've already run a
template with :suppress_eval not set, and then you run it again with
:suppress_eval set, it won't work. This is a bug; I'll work on fixing it.
This does mean, though, that you're safe to use :suppress_eval to take
user input. The only way they'll be able to execute code is if they
insert a string identical to one of of your server-side templates, and
then it shouldn't be able to do any harm.
- Nathan
jbc wrote:
> % less vendor/plugins/stable/VERSION
> 1.7.1
>
> There's definitely something very weird going on - I might try
> reinstalling the plugin.
>
>
>
>>> Haml::Engine.new("- puts 'hello'", :suppress_eval => true).render
>>>
> => ""
>
>>> Haml::Engine.new("- puts 'hello'", :suppress_eval => false).render
>>>
> => ""
> (the File.Read line was from the same session)
>
>
>>> Haml::Engine.new("= puts 'hello'*3", :suppress_eval => false).render
>>>
> => "hellohellohello\n\n"
>
>>> Haml::Engine.new("= puts 'hello'*3", :suppress_eval => true).render
>>>
> => "hellohellohello\n\n"
>
> And the haml tests ran with no errors.
>
> If this is not expected behaviour, then at least I'm not going
> insane.
>
> I'm something of a rails noob, btw, so I can easily be missing
> something terribly obvious.
>
> (also, is it meant to sit under plugins/stable? Seems odd...)
>
> Thanks for the help!
>
> On Sep 19, 1:40 am, Nathan Weizenbaum <[EMAIL PROTECTED]> wrote:
>
>> Your script/console line shouldn't run the silent script. It doesn't on
>> my computer. What version of Haml are you using?
>>
>> - Nathan
>>
>> jbc wrote:
>>
>>> So, I was thinking of using haml as the actual markup language for the
>>> wiki-like-thing I'm building in rails. The syntax is simple and
>>> beautiful, and encourages people to use css styling rather than trying
>>> to do it by hand - which is good.
>>>
>>> But of course, I don't want people doing Bad Things in evaled code. In
>>> fact, I don't want them to do *anything*.
>>>
>>> So, I had thought that
>>>
>>> <in app/views/thing/show.haml>
>>> #postbody= Haml::Engine.new(@post.body, :suppress_eval => true)
>>>
>>> would do the trick.
>>>
>>> But lo, basic testing from script/console would seem to put the lie to
>>> that:
>>>
>>> Haml::Engine.new('- puts File.read "/home/me/myApp/app/controllers/
>>> thing_controller.rb"', :suppress_eval => true).render
>>> => "class ThingController < ApplicationController\n...
>>>
>>> This is bad.
>>>
>>> How am I fundamentally misunderstanding the meaning of "suppress
>>> eval"? What *does* it do?
>>>
>>> Apart from some tortuous gsubbing, is there no way to render the thing
>>> user-safe?
>>>
>
>
> >
>
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Haml" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/haml?hl=en
-~----------~----~----~----~------~----~------~--~---
