Awesome!
Thanks - it's really appreciated.
On Sep 19, 8:33 am, Nathan Weizenbaum <[EMAIL PROTECTED]> wrote:
> I think I see the issue. Haml caches templates so that it can render the
> same template multiple times more efficiently. However, changing the
> options /does not/ clear the cache; thus, if you've already run a
> template with :suppress_eval not set, and then you run it again with
> :suppress_eval set, it won't work. This is a bug; I'll work on fixing it.
>
> This does mean, though, that you're safe to use :suppress_eval to take
> user input. The only way they'll be able to execute code is if they
> insert a string identical to one of of your server-side templates, and
> then it shouldn't be able to do any harm.
>
> - Nathan
>
> jbc wrote:
> > % less vendor/plugins/stable/VERSION
> > 1.7.1
>
> > There's definitely something very weird going on - I might try
> > reinstalling the plugin.
>
> >>> Haml::Engine.new("- puts 'hello'", :suppress_eval => true).render
>
> > => ""
>
> >>> Haml::Engine.new("- puts 'hello'", :suppress_eval => false).render
>
> > => ""
> > (the File.Read line was from the same session)
>
> >>> Haml::Engine.new("= puts 'hello'*3", :suppress_eval => false).render
>
> > => "hellohellohello\n\n"
>
> >>> Haml::Engine.new("= puts 'hello'*3", :suppress_eval => true).render
>
> > => "hellohellohello\n\n"
>
> > And the haml tests ran with no errors.
>
> > If this is not expected behaviour, then at least I'm not going
> > insane.
>
> > I'm something of a rails noob, btw, so I can easily be missing
> > something terribly obvious.
>
> > (also, is it meant to sit under plugins/stable? Seems odd...)
>
> > Thanks for the help!
>
> > On Sep 19, 1:40 am, Nathan Weizenbaum <[EMAIL PROTECTED]> wrote:
>
> >> Your script/console line shouldn't run the silent script. It doesn't on
> >> my computer. What version of Haml are you using?
>
> >> - Nathan
>
> >> jbc wrote:
>
> >>> So, I was thinking of using haml as the actual markup language for the
> >>> wiki-like-thing I'm building in rails. The syntax is simple and
> >>> beautiful, and encourages people to use css styling rather than trying
> >>> to do it by hand - which is good.
>
> >>> But of course, I don't want people doing Bad Things in evaled code. In
> >>> fact, I don't want them to do *anything*.
>
> >>> So, I had thought that
>
> >>> <in app/views/thing/show.haml>
> >>> #postbody= Haml::Engine.new(@post.body, :suppress_eval => true)
>
> >>> would do the trick.
>
> >>> But lo, basic testing from script/console would seem to put the lie to
> >>> that:
>
> >>> Haml::Engine.new('- puts File.read "/home/me/myApp/app/controllers/
> >>> thing_controller.rb"', :suppress_eval => true).render
> >>> => "class ThingController < ApplicationController\n...
>
> >>> This is bad.
>
> >>> How am I fundamentally misunderstanding the meaning of "suppress
> >>> eval"? What *does* it do?
>
> >>> Apart from some tortuous gsubbing, is there no way to render the thing
> >>> user-safe?
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Haml" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/haml?hl=en
-~----------~----~----~----~------~----~------~--~---
