Jeff Barczewski
2007-Jan-22 15:31 UTC
[Masterview-devel] From Rails list - Fwd: [Rails] "Safe" template engine with custom tags?
Here is a request that came on the Rails list along with my response. I think eventually I''d like to take a closer look at doing non-evaling or sandboxed directives to make this type of template editing safe for untrusted users. Jeff Forwarded Conversation Subject: [Rails] "Safe" template engine with custom tags? ------------------------ From: goodieboy <goodieBoy at gmail.com> Reply-To: rubyonrails-talk at googlegroups.com To: "Ruby on Rails: Talk" <rubyonrails-talk at googlegroups.com> Date: Fri, Jan 19, 2007 at 4:52 PM I''m thinking about creating a CMS which stores templates, layouts and page content in a database. This would allow me and the client to update content from a browser. Not sure about the safety issues with this though? Is it a bad idea to allow the rails template engine to be manipulated from a browser? It''ll all be password protected of course. It would give me a ton of flecibility... but something smells weird... If it''s a *REALLY* bad idea then... Does anyone know of a template engine that will that will: 1. integrate seamlessly 2. provide an easy syntax 3. give access to helpers just like the Rails template engine 4. provide ability to create custom tags Anyone? Something like the Radius template engine with built in Rails support would be fantastic I think. - matt --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk at googlegroups.com To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe at googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~--- -------- From: Russell Norris <sconds at gmail.com> Reply-To: rubyonrails-talk at googlegroups.com To: rubyonrails-talk at googlegroups.com Date: Mon, Jan 22, 2007 at 7:42 AM I sure hope it''s safe ''cause I''m about to move one of my apps to the same kind of thing. You might be interested in the theme_support plugin, the liquid templating system, and looking over Mephisto''s source code. I think you''ll find a lot of useful ideas there. I know I have. RSL [Quoted text hidden] -------- From: Jeff Barczewski <jeff.barczewski at gmail.com> To: rubyonrails-talk at googlegroups.com Date: Mon, Jan 22, 2007 at 9:27 AM On 1/19/07, goodieboy <goodieBoy at gmail.com> wrote:> > I''m thinking about creating a CMS which stores templates, layouts and > page content in a database. This would allow me and the client to > update content from a browser. Not sure about the safety issues with > this though? Is it a bad idea to allow the rails template engine to be > manipulated from a browser? It''ll all be password protected of course. > It would give me a ton of flecibility... but something smells weird... > If it''s a *REALLY* bad idea then... > > Does anyone know of a template engine that will that will: > > 1. integrate seamlessly > 2. provide an easy syntax > 3. give access to helpers just like the Rails template engine > 4. provide ability to create custom tags >The MasterView template engine currently meets some of your goals. http://masterview.org/ It will integrate seamlessly with Rails. It provides an easy syntax (attribute based but very similar to the native syntax for Rails helpers). It provides full access to helpers, partials, layouts just like ERB. The directives allow the content to inherit their style from the html so that you can design with WYSIWYG editor. It was designed from the ground up to be customizable and extensible with custom directives (like tags but attribute based). The API was refactored to use a DSL to simplify directive creation. MasterView is designed to allow designers to WYSIWYG the templates, while still allowing full power of ERB (partials, helpers). We are developing some power attributes that simplify the creation of Ajax''d tables. The MasterView system has plugable IO framework allowing the templates to exist anywhere (file system, DB, memory, etc.) however we have not implemented the DB version yet. The hooks are there but just haven''t gotten to it yet. As for the safety of doing things, here is my take: If you are allowing your trusted developers to make changes to these templates, then this is not much different than having it on the file system. Assuming you secure it behind user authentication to access these files, then it is not much different. Much more convenient than requiring someone to scp or ftp the files up. However this is ruby code with the same access as your code on the filesystem, so it should be given the same respect and code reviews. However if you are wanting to allow generic users (not just your developers) to be able to change the templates, then you will want to either prevent them from using evaling code or to use some sort of sandboxing. We are planning to add some non-evaling or sandboxed directives to MasterView but that is still a little ways off. Doing this today, you might consider using Liquid for that aspect of things if you need to allow users to edit templates and not simply content. Liquid can be used in conjunction with MasterView as well. Hendy Irawan has done this for his site. If it were me, I would take the approach of trying to limit the end users from being able to directly change templates. Provide them a way to change the content all they want. Give them a way to change the CSS. If you have the right hooks into the content for CSS you would be suprised about the layouts you can get just be changing this. Check out http://www.csszengarden.com/ to see how drastically sites can be changed with CSS alone. This should get you most of the way there and it can be made be totally safe. Then if this doesn''t meet all your needs, you might provide several canned template layouts that you created and they can choose one of them. Beyond that check out using Liquid possibly with MasterView depending on your needs. If you have any questions about this, I will do my best to help. If you would like to know more how MasterView works we have some illustrations and screencasts on the site. http://masterview.org/ as well as mailing lists, etc. (We are preparing a new release that fixes some smaller issues with Rails 1.2, should be out in the next few days, trunk already has fixes). Blessings, -- Jeff Barczewski, MasterView project founder Inspired Horizons Ruby on Rails Training and Consultancy Next Ruby on Rails plus JRuby workshop Feb 22-24 St. Louis, MO http://inspiredhorizons.com/training/rails Limited seating, register now! --------