Hello,
I'm building a system that will allow users to modify layouts. Is there a way to securely use ERB, or will I need to use a different template engine such as Liquid?
I would prefer to use ERB, but haven't found a way to allow people to modify the templates without having access to running malicious code.
Any input would be helpful.
Thanks!
Since ERB allows you to call any ruby code, including calls to the database, or even system calls, I think that wouldn't be a great idea for user templates.
You will need to use a different templating language such as Liquid.
Ryan Bigg wrote:
You will need to use a different templating language such as Liquid.
-- Appreciated my help? Recommend me on Working With Rails http://workingwithrails.com/person/11030-ryan-bigg
Yep. This was the need liquid was made for. Every shopify store uses liquid, and most of them look fantastic.
Keep up to date with Rails on Twitter and This Week in Rails
Policies: Conduct, License, Maintenance, Security, Trademarks