On 14 Oct 2008, at 22:29, Christian Johansen wrote:
>
> Brian Hogan wrote:
>> While this is pretty easy with the ERB library and its rendering,
>> it's
>> also
>> very dangerous. You'll need to build a whitelist of what you'll let
>> them
>> do.
>>
>> "Hello #{User.delete_all}"
>>
>> Never let anyone arbitrarily monkey with your code or data.
>> Instead, make your own parser or look at how some of the CMS tools
>> like
>> Radiant do things like this.
>>
>>
>> On Tue, Oct 14, 2008 at 3:46 PM, Christian Johansen <
>
> Yup, I'm very aware of the safety implications. Basically this will be
> available to people who have access to the code as well, but it makes
> this task a bit easier. I'll look up simpler parsing that'll just
> allow
> for looking up properties on a single object or something like that.
> Thanks!
For what it's worth, something like
@body = render :inline => some_string, :body => {}
would do it.
Fred
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Talk" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---
