On Feb 28, 11:30 am, Dudebot <[email protected]> wrote: > On Feb 28, 3:04 am, Michael Pavling <[email protected]> wrote: > > > On 27 February 2010 21:15, Dudebot <[email protected]> wrote: > > > > Needless to say, this code is *not safe*. A user can run anything in > > > that eval. In my application, only trusted users have access to > > > building templates. > > > I don't think it's needless... I think it's extremely important to > > say. For anyone reading this post and thinking it's a solution to > > their problem - if anyone sat back and presented this as a "fix" to > > me, I would fire them for their recklessness :-/ > > That's exactly why I said it ;) Believe it or not, in this particular > application we have written contracts with the administrators that > would be creating templates (for other reasons as well.) >
It's not necessarily malicious - if your administrators are not trained ruby developers (or even if they are) sooner or later they will make a mistake. They probably won't accidentally type <%= ActiveRecord::Base.connection.execute 'drop database ...' %> but they could easily type something which raises an error in some cases (or all cases) and before you know it you're getting called at 3 in the morning because something isn't working. Fred > However, I am eager to find a better way, and thanks, Jarin, for the > reference to Liquid! > > Thanks, > Craig -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
