Hi all. greetings.. I have came across a situation where I let CMS user/admin on my site to create a page with the HTML editor(tiny_mce)and he wants me to run some ruby code to generate the dynamic content through that.. The data (HTML) is getting saved in the database and while showing it on page I am fetching and decoding it with HTML entities(gem). Now the problem is the ruby tags are not working on it.. If you have any Ideas, any experience to call the ruby tags on page pls reply . -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On Apr 29, 4:16 am, Saurabh Purnaye <rails-mailing-l...-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> Hi all. > greetings.. I have came across a situation where I let CMS user/admin on > my site to create a page with the HTML editor(tiny_mce)and he wants me > to run some ruby code to generate the dynamic content through that.. The > data (HTML) is getting saved in the database and while showing it on > page I am fetching and decoding it with HTML entities(gem). Now the > problem is the ruby tags are not working on it.. If you have any Ideas, > any experience to call the ruby tags on page pls reply .I am not quite sure what you are asking. Are you trying to embed ERB in your strings that the user is creating and execute it? Here''s how to do that (in irb... you don''t need the "binding" in other places) : require ''erb'' template = ERB.new "<%= time %>" time = Time.now template.result(binding) This is how to run the ERB parser on a string. You should look at the code and documentation, because there is a good deal of code safety options and whatnot when you dynamically execute code. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
or you could save it temporarily to your views directory then render it [maybe not a great idea] On Tue, Apr 29, 2008 at 2:16 AM, Saurabh Purnaye <rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> > Hi all. > greetings.. I have came across a situation where I let CMS user/admin on > my site to create a page with the HTML editor(tiny_mce)and he wants me > to run some ruby code to generate the dynamic content through that.. The > data (HTML) is getting saved in the database and while showing it on > page I am fetching and decoding it with HTML entities(gem). Now the > problem is the ruby tags are not working on it.. If you have any Ideas, > any experience to call the ruby tags on page pls reply . > -- > Posted via http://www.ruby-forum.com/. > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Roger Pack wrote:> or you could save it temporarily to your views directory then render > it [maybe not a great idea] > > On Tue, Apr 29, 2008 at 2:16 AM, Saurabh PurnayeThanks for the help!! I would like to implement by this method also. I have solved this problem in a way, my CMS user will create a HTML, I asked him to put a ruby tag in it to generate dynamic content and then saved the file as _some_name.rhtml and then I rendered that file. So the HTML will run as it is and also the ruby tags works well. Thanks again!! -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
> > On Tue, Apr 29, 2008 at 2:16 AM, Saurabh Purnaye > > Thanks for the help!! > I would like to implement by this method also. > I have solved this problem in a way, my CMS user will create a HTML, I > asked him to put a ruby tag in it to generate dynamic content and then > saved the file as _some_name.rhtml and then I rendered that file. > So the HTML will run as it is and also the ruby tags works well. > Thanks again!!Just to make things explicit, do realise that the user (if malicious) could put <%ActiveRecord::Base.connection.execute ''DROP DATABASE foo%> or <% `rm -rf /` %> in those templates and it would work. Fred --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Frederick Cheung wrote:>> > On Tue, Apr 29, 2008 at 2:16 AM, Saurabh Purnaye >> >> Thanks for the help!! >> I would like to implement by this method also. >> I have solved this problem in a way, my CMS user will create a HTML, I >> asked him to put a ruby tag in it to generate dynamic content and then >> saved the file as _some_name.rhtml and then I rendered that file. >> So the HTML will run as it is and also the ruby tags works well. >> Thanks again!! > > Just to make things explicit, do realise that the user (if malicious) > could put <%ActiveRecord::Base.connection.execute ''DROP DATABASE foo%> > or <% `rm -rf /` %> in those templates and it would work. > > FredThe user who will be posting the data,is a cms user and he may not be willing to drop anything from his own site!!! Lets hope he will follow the instructions given!! -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---