Hi, I am currently developing a small cms in Rails. I decided recently
that I need to store both the content and the presentation template in
the database for flexibility. The system is based heavily on content
blocks and I need different templates for the same content block in
different contexts. Anyone has a good advice on how to solve that
technically? I now how to render a erb template inline, but how do I
solve things like protecting some methods on objects like “destroy”
and so on. I have looked into other template languages that offer some
degree of protection like Radius and Liquid, but I like the fact that
ERB is bundled with Ruby and Rails already uses it, why reinvent the
I see what you are saying but question that by storing erb templates
in the DB would eventually become less flexible at some point in the
I can see why it could and why it couldn’t…
Would not using partials separated into directories by namespace’s not
I guess this depends on how many templates you are looking at…, have
you tried a protoype of a db driven one? What were your results?
You could always have the DB output to files in the rails system on
demand? Maybe you write a model that doesn’t write to DB but instead
outputs to create the ERB files in the rails application’s view
Sorry maybe not so much help, but if it was me I would try the last
I would also try and avoid the need for this as much as possible by
good usage of layouts and css which I am currently using on a CMS
On Mar 18, 5:24 pm, fredd [email protected] wrote:
Because erb is not designed to be safe and liquid is. You’ll have a
really hard time preventing people doing bad stuff from erb. I’ve
never really seen rails up use ruby’s safe levels and at least for C
ruby there’s not really a production ready sandbox that you could use.
Why reinvent the wheel trying to make erb safe when people have
already come up with things like liquid ?
I’ve been looking in to rendering safe templates recently. There are a
few options I have been exploring…
1.) JRuby Sandbox
- There is a recent video presentation knocking about that is worth
checking (I couldn’t find it via Google)
2.) Safemode GitHub - theforeman/safemode: A library for safe evaluation of Ruby code based on ParseTree/RubyParser and Ruby2Ruby. Provides Rails ActionView template handlers for ERB and Haml.
- I recently spoke to Sven and he is picking the project back up shortly
Personally I would like to allow designers to FTP up templates which are
rendered in a safe manner.
PS. My email address has changed add a dot between first/last names.
Thanks for the replies! I am slow to respond due to vacation and
It defenently sounds like a good idea to have the model output erb-
templates into the file system, I will look into that. But maybe ERB
is not safe to use at all if you want the users to alter the templates
on the fly (like in my cms). I think I have to look into Liquid and
Radius a bit more. The thing I have against it though is that you have
to re-implement common view helpers. I also think it’s quite hard to
do control structures in these languages.