I want to build a system where I can let users write templates that allow read access to Rails objects within and then send these templates out to customers via email. The problem I'm having is that through my tests, it's become obvious that this can create a security risk.
Example: A customer could put text into their template such as:
@customers = Customer.find(:all) @customers.each do |c| c.destroy end
inside the ERB template and when I call it to render the results like this:
# Render Template @text = ERB.new(lbt.body_content).result(binding)
It will execute the above command and erase all the customers from the database.
All I really want people to be able to do is parse variables I hand into the template, not actually load Rails objects and make changes. That way I can specify and pre-populate what they have access to and plug that security issue.
Does any one know the best way to do this? I'm assuming there are other ERB command I can use to render, but I can't seem to find it.
Thanks
- Jesse
