I have to say that I'm pretty firmly against writing ERB in Radiant pages. First and foremost, we have to remember that Radiant is a CMS. Among the two most important features of a Rails based CMS (as opposed to a regular Rails application) are the promise to your less technically inclined users that nothing they will do will impact the overall system and caching.
Even with elevated $SAFE levels, it's inviting the application logic into the page, threatening cacheability and simplicity for the content creator, and worse, bringing along all of the risks that come along with ERB in a standard Rails application. Only now, a non-developer has the ability to open up a XSS vulnerability (or any number of bad things). I really would urge people to write extensions that define Radius tags if you need some sort of dynamic functionality -- it's what they're there for. Create a new Page type, define a tag (and remember to escape HTML) -- it's that easy. If a developer knows how to write a fragment of ERB, they should be able to master the extension system quite quickly. Ok, so the other point was that Radius may not be the best. It may have some shortcomings, and I've seen a few things that irk me (although not enough to send me running away). If anyone's looking for inspiration for something better, I'd suggest StringTemplate [1]. StringTemplate is quite strict at enforcing model-view separation. The accompanying paper [2] explains things really well (also see the introduction to the documentation [3]). Basically, it only allows you to 1) reference object attributes, 2) include other templates (similar to snippets), 3) conditionally include templates based on the presence of object attributes, and 4) apply a template to an array. No numerical evaluation, no setting of state (all that is done in the model where it belongs). It's not Turing Complete, but neither is CSS and it does its job pretty well. Even if you're not using StringTemplate, I highly recommend the linked PDF. It has changed the way I write the ERB in my views. And I hope I don't sound too combative here. I've just dealt with too much PHP spaghetti to want to throw away separation so quickly. -Andrew [1] http://www.stringtemplate.org/ [2] http://www.cs.usfca.edu/~parrt/papers/mvc.templates.pdf [3] http://www.antlr.org/wiki/display/ST/Introduction On 10/18/07, Daniel Sheppard <[EMAIL PROTECTED]> wrote: > > > > > > I would suggest to add the parameters individually to > > the <r:snippet> > > > tag, and to allow a body to be defined: > > > > > > <r:snippet name="rounded-box" class="whatever" bg-color="blue"> > > > This is a parametrized snippet... > > > </r> > > > > > Basically, featurewise it looks like what you're after is a templating > language like freemarker (http://freemarker.org). Radius (the templating > language used by radiant) reminds me a lot of the very early versions of > freemarker. Freemarker macros map conceptually to radius snippets and > layouts. > > Problem is that freemarker is a java library, so not much use to Radiant > as is, but it's probably a good place to look for thinking of ways to > extend radius. > > I've actually been doing some thinking about ripping out and replacing > radiant (or at least modularising it) lately. > > Ideally, I'd love to be able to just write ERB in radiant... which would > be fine for just me running radiant for myself on my own server - and in > fact backdoor basically lets me do that, but it's hardly a bright idea > from a security point of view. > > Basically, my current thoughts are to create a 'safe erb' - ideally > running using _why's sandbox, but should be almost as good running > under a $SAFE=4 thread. The core active-record objects would need > to be wrapped up in a method-filtering proxy and then handed off > to the page content as an erb script to render as it wants. > > Note that this is all just thoughts at the moment... the road to > implementing such a beast would be quite tough - it's not something > that could be done incrementally, which means the odds of me dedicating > enough time to do it is fairly slim, but thought I'd throw this out > there to get peoples hopes up. > > Dan. > _______________________________________________ > Radiant mailing list > Post: [email protected] > Search: http://radiantcms.org/mailing-list/search/ > Site: http://lists.radiantcms.org/mailman/listinfo/radiant > _______________________________________________ Radiant mailing list Post: [email protected] Search: http://radiantcms.org/mailing-list/search/ Site: http://lists.radiantcms.org/mailman/listinfo/radiant
