Hi,
So I have a basic CMS I'm working on where a page has a title and a body field. The body field is just plain html stored as text in the SQL database.
I have two questions/concerns:
1) how do I get erb to work from within the SQL text entry? For instance, one of my pages has an image_tag helper method in it that doesn't work.
2) Is this a secure way to do this? Am I creating a security vulnerability by organizing my content this way?
Thanks!
Ron
Hi,
So I have a basic CMS I'm working on where a page has a title and a body field. The body field is just plain html stored as text in the SQL database.
I have two questions/concerns:
1) how do I get erb to work from within the SQL text entry? For instance, one of my pages has an image_tag helper method in it that doesn't work.
You could try messing with render :inline, or I suppose call Erb
directly
2) Is this a secure way to do this? Am I creating a security vulnerability by organizing my content this way?
Well the user could upload <% system("rm -rf/") %> or <%
ActiveRecord::Base.connection.execute("delete all from foos")%> so no,
not very safe.
You might be interested in liquid (http://www.liquidmarkup.org/) a
templating language that was designed with that sort of problem in mind.
Fred
Thanks, Fred. The ability to edit the SQL is behind a hashed login. So the set of users looking at this would not type in something like that. Although I suppose even leaving that possibility open isn't a good practice.
Liquid markup looks really interesting. I'll have to try that out.
Ron