Hello, I''m building a system that will allow users to modify layouts. Is there a way to securely use ERB, or will I need to use a different template engine such as Liquid? I would prefer to use ERB, but haven''t found a way to allow people to modify the templates without having access to running malicious code. Any input would be helpful. Thanks! -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Since ERB allows you to call any ruby code, including calls to the database, or even system calls, I think that wouldn''t be a great idea for user templates. On May 27, 2:31 pm, Nate Leavitt <rails-mailing-l...-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> Hello, > > I''m building a system that will allow users to modify layouts. Is there > a way to securely use ERB, or will I need to use a different template > engine such as Liquid? > > I would prefer to use ERB, but haven''t found a way to allow people to > modify the templates without having access to running malicious code. > > Any input would be helpful. > > Thanks! > -- > Posted viahttp://www.ruby-forum.com/.--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
You will need to use a different templating language such as Liquid. -- Appreciated my help? Recommend me on Working With Rails http://workingwithrails.com/person/11030-ryan-bigg --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Ryan Bigg wrote:> You will need to use a different templating language such as Liquid. > > > -- > Appreciated my help? > Recommend me on Working With Rails > http://workingwithrails.com/person/11030-ryan-biggYep. This was the need liquid was made for. Every shopify store uses liquid, and most of them look fantastic. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---