Hi all.
greetings… I have came across a situation where I let CMS user/admin on
my site to create a page with the HTML editor(tiny_mce)and he wants me
to run some ruby code to generate the dynamic content through that… The
data (HTML) is getting saved in the database and while showing it on
page I am fetching and decoding it with HTML entities(gem). Now the
problem is the ruby tags are not working on it… If you have any Ideas,
any experience to call the ruby tags on page pls reply .
On Apr 29, 4:16 am, Saurabh P. [email protected]
wrote:
Hi all.
greetings… I have came across a situation where I let CMS user/admin on
my site to create a page with the HTML editor(tiny_mce)and he wants me
to run some ruby code to generate the dynamic content through that… The
data (HTML) is getting saved in the database and while showing it on
page I am fetching and decoding it with HTML entities(gem). Now the
problem is the ruby tags are not working on it… If you have any Ideas,
any experience to call the ruby tags on page pls reply .
I am not quite sure what you are asking. Are you trying to embed ERB
in your strings that the user is creating and execute it? Here’s how
to do that (in irb… you don’t need the “binding” in other places) :
require ‘erb’
template = ERB.new “<%= time %>”
time = Time.now
template.result(binding)
This is how to run the ERB parser on a string. You should look at the
code and documentation, because there is a good deal of code safety
options and whatnot when you dynamically execute code.
or you could save it temporarily to your views directory then render
it [maybe not a great idea]
On Tue, Apr 29, 2008 at 2:16 AM, Saurabh P.
On Tue, Apr 29, 2008 at 2:16 AM, Saurabh P.
Thanks for the help!!
I would like to implement by this method also.
I have solved this problem in a way, my CMS user will create a HTML, I
asked him to put a ruby tag in it to generate dynamic content and then
saved the file as _some_name.rhtml and then I rendered that file.
So the HTML will run as it is and also the ruby tags works well.
Thanks again!!
Just to make things explicit, do realise that the user (if malicious)
could put <%ActiveRecord::Base.connection.execute 'DROP DATABASE foo%>
or <% rm -rf / %> in those templates and it would work.
Fred
Roger P. wrote:
or you could save it temporarily to your views directory then render
it [maybe not a great idea]On Tue, Apr 29, 2008 at 2:16 AM, Saurabh P.
Thanks for the help!!
I would like to implement by this method also.
I have solved this problem in a way, my CMS user will create a HTML, I
asked him to put a ruby tag in it to generate dynamic content and then
saved the file as _some_name.rhtml and then I rendered that file.
So the HTML will run as it is and also the ruby tags works well.
Thanks again!!
Frederick C. wrote:
On Tue, Apr 29, 2008 at 2:16 AM, Saurabh P.
Thanks for the help!!
I would like to implement by this method also.
I have solved this problem in a way, my CMS user will create a HTML, I
asked him to put a ruby tag in it to generate dynamic content and then
saved the file as _some_name.rhtml and then I rendered that file.
So the HTML will run as it is and also the ruby tags works well.
Thanks again!!Just to make things explicit, do realise that the user (if malicious)
could put <%ActiveRecord::Base.connection.execute 'DROP DATABASE foo%>
or <%rm -rf /%> in those templates and it would work.Fred
The user who will be posting the data,is a cms user and he may not
be willing to drop anything from his own site!!!
Lets hope he will follow the instructions given!!