On Mon, Jan 12, 2009 at 5:57 PM, DAZ <[email protected]> wrote: > > Thanks for the reply Andrew, and thanks for the link - very useful and > informative (as is your blog!). > > The idea is as part of a CMS-style app, so people would have to be > signed in to edit files, and they probably wouldn't be able to choose > the path, just the name. I guess I would use a similar whitelist > approach as recommended in the docs. > > Would it be better to do this sort of thing at a database level - > saving the whole CSS text in a Theme model or something? > > cheers, > > DAZ
There are pros and cons to everything, I just wanted you to be aware - I don't like providing a solution to someone where they can shoot themselves in the foot with it :-) Even in a CMS based app this can be dangerous. If the CMS is for a specific client running on their own hardware, you have less of a problem than if it is for public consumption. If you want to allow people to customise the look of an application, I would provide very specific things they can change. Your idea of a Theme model can work but still be careful of what they can set as values. IE allows javascript to execute within CSS which can open you up to XSS attacks etc. -- Andrew Timberlake http://ramblingsonrails.com http://www.linkedin.com/in/andrewtimberlake "I have never let my schooling interfere with my education" - Mark Twain --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
