ERB templates in the database

fredd · March 18, 2009, 6:38pm

Hi, I am currently developing a small cms in Rails. I decided recently
that I need to store both the content and the presentation template in
the database for flexibility. The system is based heavily on content
blocks and I need different templates for the same content block in
different contexts. Anyone has a good advice on how to solve that
technically? I now how to render a erb template inline, but how do I
solve things like protecting some methods on objects like “destroy”
and so on. I have looked into other template languages that offer some
degree of protection like Radius and Liquid, but I like the fact that
ERB is bundled with Ruby and Rails already uses it, why reinvent the
wheel.

Cheers
Fredrik

fredd · March 19, 2009, 6:10am

I see what you are saying but question that by storing erb templates
in the DB would eventually become less flexible at some point in the
future??

I can see why it could and why it couldn’t…

Would not using partials separated into directories by namespace’s not
work?

I guess this depends on how many templates you are looking at…, have
you tried a protoype of a db driven one? What were your results?

You could always have the DB output to files in the rails system on
demand? Maybe you write a model that doesn’t write to DB but instead
outputs to create the ERB files in the rails application’s view
folder…

Sorry maybe not so much help, but if it was me I would try the last
option…

I would also try and avoid the need for this as much as possible by
good usage of layouts and css which I am currently using on a CMS
system…

fredd · March 19, 2009, 11:45am

On Mar 18, 5:24 pm, fredd [email protected] wrote:

wheel.
Because erb is not designed to be safe and liquid is. You’ll have a
really hard time preventing people doing bad stuff from erb. I’ve
never really seen rails up use ruby’s safe levels and at least for C
ruby there’s not really a production ready sandbox that you could use.
Why reinvent the wheel trying to make erb safe when people have
already come up with things like liquid ?

Fred

fredd · July 8, 2009, 1:15pm

I’ve been looking in to rendering safe templates recently. There are a
few options I have been exploring…

1.) JRuby Sandbox

There is a recent video presentation knocking about that is worth
checking (I couldn’t find it via Google)

2.) Safemode GitHub - theforeman/safemode: A library for safe evaluation of Ruby code based on ParseTree/RubyParser and Ruby2Ruby. Provides Rails ActionView template handlers for ERB and Haml.

I recently spoke to Sven and he is picking the project back up shortly

Personally I would like to allow designers to FTP up templates which are
rendered in a safe manner.

PS. My email address has changed add a dot between first/last names.

fredd · March 24, 2009, 6:40pm

Thanks for the replies! I am slow to respond due to vacation and
stuff:)

It defenently sounds like a good idea to have the model output erb-
templates into the file system, I will look into that. But maybe ERB
is not safe to use at all if you want the users to alter the templates
on the fly (like in my cms). I think I have to look into Liquid and
Radius a bit more. The thing I have against it though is that you have
to re-implement common view helpers. I also think it’s quite hard to
do control structures in these languages.