On 6 Nov 2008, at 00:48, Jesse Proudman wrote:
> > I want to build a system where I can let users write templates that > allow read access to Rails objects within and then send these > templates > out to customers via email. The problem I'm having is that through my > tests, it's become obvious that this can create a security risk. Have a look at liquid templates (http://www.liquidmarkup.org/) , they were designed with that in mind. Fred > > > Example: A customer could put text into their template such as: > > @customers = Customer.find(:all) > @customers.each do |c| > c.destroy > end > > inside the ERB template and when I call it to render the results like > this: > > # Render Template > @text = ERB.new(lbt.body_content).result(binding) > > It will execute the above command and erase all the customers from the > database. > > All I really want people to be able to do is parse variables I hand > into > the template, not actually load Rails objects and make changes. That > way I can specify and pre-populate what they have access to and plug > that security issue. > > Does any one know the best way to do this? I'm assuming there are > other > ERB command I can use to render, but I can't seem to find it. > > Thanks > > - Jesse > -- > Posted via http://www.ruby-forum.com/. > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
