I currently have a page controller that gets html content from the DB and then renders it. is there a way to use ERB to pre process the html and make it rhtml? allowing me to post more dynamic content..
spokra wrote:> I currently have a page controller that gets html content from the DB > and then renders it. is there a way to use ERB to pre process the > html and make it rhtml?I suppose so, but this is a bad idea from a security point of view. It''s too easy for someone to put into the DB a malicious piece of ERb code, say, something like <h1>This is a malicious page!</h1> <% User.delete_all %>> allowing me to post more dynamic content..There are better ways to do this. Can you explain more about your application? Best, -- Marnen Laibow-Koser http://www.marnen.org marnen-sbuyVjPbboAdnm+yROfE0A@public.gmane.org -- Posted via http://www.ruby-forum.com/.
the page controller is only accessible to admins for one.. I''d like to be able to create pages on the fly that include blog posting, news events top stories. and I don;t want to be changing the view files all the time. I guess I could make one page for each page type like the home page that include what i want.. I guess the quick way to explain what i''m trying to do is make a cms that is erb aware On Oct 1, 1:45 pm, Marnen Laibow-Koser <rails-mailing-l...@andreas- s.net> wrote:> spokra wrote: > > I currently have a page controller that gets html content from the DB > > and then renders it. is there a way to use ERB to pre process the > > html and make it rhtml? > > I suppose so, but this is a bad idea from a security point of view. > It''s too easy for someone to put into the DB a malicious piece of ERb > code, say, something like > > <h1>This is a malicious page!</h1> > <% User.delete_all %> > > > allowing me to post more dynamic content.. > > There are better ways to do this. Can you explain more about your > application? > > Best, > -- > Marnen Laibow-Koserhttp://www.marnen.org > mar...-sbuyVjPbboAdnm+yROfE0A@public.gmane.org > -- > Posted viahttp://www.ruby-forum.com/.
spokra wrote:> the page controller is only accessible to admins for one.That''s kind of weak security when coupled with such a dangerous idea.> > I''d like to be able to create pages on the fly that include blog > posting, news events top stories. and I don;t want to be changing the > view files all the time. I guess I could make one page for each page > type like the home page that include what i want.. > > I guess the quick way to explain what i''m trying to do is make a cms > that is erb awareAgain, bad idea. Most CMSs include some for of template language that will do what you want (for example, Radius within the Radiant CMS), but by design, these languages never have all the features of ERb -- specifically, they can''t execute arbitrary Ruby code. And that''s the way it should be. With that in mind, then, why not give a CMS like Radiant a try?> > > On Oct 1, 1:45�pm, Marnen Laibow-Koser <rails-mailing-l...@andreas-Best, -- Marnen Laibow-Koser http://www.marnen.org marnen-sbuyVjPbboAdnm+yROfE0A@public.gmane.org -- Posted via http://www.ruby-forum.com/.