Hi, So I have a basic CMS I''m working on where a page has a title and a body field. The body field is just plain html stored as text in the SQL database. I have two questions/concerns: 1) how do I get erb to work from within the SQL text entry? For instance, one of my pages has an image_tag helper method in it that doesn''t work. 2) Is this a secure way to do this? Am I creating a security vulnerability by organizing my content this way? Thanks! Ron --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On 7 Mar 2008, at 04:36, Ron wrote:> > Hi, > > So I have a basic CMS I''m working on where a page has a title and a > body field. The body field is just plain html stored as text in the > SQL database. > > I have two questions/concerns: > > 1) how do I get erb to work from within the SQL text entry? For > instance, one of my pages has an image_tag helper method in it that > doesn''t work. >You could try messing with render :inline, or I suppose call Erb directly> 2) Is this a secure way to do this? Am I creating a security > vulnerability by organizing my content this way?Well the user could upload <% system("rm -rf/") %> or <% ActiveRecord::Base.connection.execute("delete all from foos")%> so no, not very safe. You might be interested in liquid (http://www.liquidmarkup.org/) a templating language that was designed with that sort of problem in mind. Fred> > > Thanks! > > Ron > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Thanks, Fred. The ability to edit the SQL is behind a hashed login. So the set of users looking at this would not type in something like that. Although I suppose even leaving that possibility open isn''t a good practice. Liquid markup looks really interesting. I''ll have to try that out. Ron On Mar 7, 1:30 am, Frederick Cheung <frederick.che...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> On 7 Mar 2008, at 04:36, Ron wrote: > > > > > Hi, > > > So I have a basic CMS I''m working on where a page has a title and a > > body field. The body field is just plain html stored as text in the > > SQL database. > > > I have two questions/concerns: > > > 1) how do I geterbto work from within the SQL text entry? For > > instance, one of my pages has an image_tag helper method in it that > > doesn''t work. > > You could try messing with render :inline, or I suppose callErb > directly > > > 2) Is this a secure way to do this? Am I creating a security > > vulnerability by organizing my content this way? > > Well the user could upload <% system("rm -rf/") %> or <% > ActiveRecord::Base.connection.execute("delete all from foos")%> so no, > not very safe. > You might be interested in liquid (http://www.liquidmarkup.org/) a > templating language that was designed with that sort of problem in mind. > > Fred > > > > > Thanks! > > > Ron--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---