I think I see the issue. Haml caches templates so that it can render the 
same template multiple times more efficiently. However, changing the 
options /does not/ clear the cache; thus, if you've already run a 
template with :suppress_eval not set, and then you run it again with 
:suppress_eval set, it won't work. This is a bug; I'll work on fixing it.

This does mean, though, that you're safe to use :suppress_eval to take 
user input. The only way they'll be able to execute code is if they 
insert a string identical to one of of your server-side templates, and 
then it shouldn't be able to do any harm.

- Nathan

jbc wrote:
> % less vendor/plugins/stable/VERSION
> 1.7.1
>
> There's definitely something very weird going on - I might try
> reinstalling the plugin.
>
>
>   
>>> Haml::Engine.new("-  puts 'hello'", :suppress_eval => true).render
>>>       
> => ""
>   
>>> Haml::Engine.new("-  puts 'hello'", :suppress_eval => false).render
>>>       
> => ""
> (the File.Read line was from the same session)
>
>   
>>> Haml::Engine.new("=  puts 'hello'*3", :suppress_eval => false).render
>>>       
> => "hellohellohello\n\n"
>   
>>> Haml::Engine.new("=  puts 'hello'*3", :suppress_eval => true).render
>>>       
> => "hellohellohello\n\n"
>
> And the haml tests ran with no errors.
>
> If this is not expected behaviour, then at least I'm not going
> insane.
>
> I'm something of a rails noob, btw, so I can easily be missing
> something terribly obvious.
>
> (also, is it meant to sit under plugins/stable? Seems odd...)
>
> Thanks for the help!
>
> On Sep 19, 1:40 am, Nathan Weizenbaum <[EMAIL PROTECTED]> wrote:
>   
>> Your script/console line shouldn't run the silent script. It doesn't on
>> my computer. What version of Haml are you using?
>>
>> - Nathan
>>
>> jbc wrote:
>>     
>>> So, I was thinking of using haml as the actual markup language for the
>>> wiki-like-thing I'm building in rails. The syntax is simple and
>>> beautiful, and encourages people to use css styling rather than trying
>>> to do it by hand - which is good.
>>>       
>>> But of course, I don't want people doing Bad Things in evaled code. In
>>> fact, I don't want them to do *anything*.
>>>       
>>> So, I had thought that
>>>       
>>> <in app/views/thing/show.haml>
>>> #postbody= Haml::Engine.new(@post.body, :suppress_eval => true)
>>>       
>>> would do the trick.
>>>       
>>> But lo, basic testing from script/console would seem to put the lie to
>>> that:
>>>       
>>> Haml::Engine.new('-  puts File.read "/home/me/myApp/app/controllers/
>>> thing_controller.rb"', :suppress_eval => true).render
>>> => "class ThingController < ApplicationController\n...
>>>       
>>> This is bad.
>>>       
>>> How am I fundamentally misunderstanding the meaning of "suppress
>>> eval"? What *does* it do?
>>>       
>>> Apart from some tortuous gsubbing, is there no way to render the thing
>>> user-safe?
>>>       
>
>
> >
>
>   


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Haml" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/haml?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to