Force ERB templates to prevent making changes to models?


#1

I want to build a system where I can let users write templates that
allow read access to Rails objects within and then send these templates
out to customers via email. The problem I’m having is that through my
tests, it’s become obvious that this can create a security risk.

Example: A customer could put text into their template such as:

@customers = Customer.find(:all)
@customers.each do |c|
c.destroy
end

inside the ERB template and when I call it to render the results like
this:

Render Template

@text = ERB.new(lbt.body_content).result(binding)

It will execute the above command and erase all the customers from the
database.

All I really want people to be able to do is parse variables I hand into
the template, not actually load Rails objects and make changes. That
way I can specify and pre-populate what they have access to and plug
that security issue.

Does any one know the best way to do this? I’m assuming there are other
ERB command I can use to render, but I can’t seem to find it.

Thanks

  • Jesse

#2

On 6 Nov 2008, at 00:48, Jesse P. wrote:

I want to build a system where I can let users write templates that
allow read access to Rails objects within and then send these
templates
out to customers via email. The problem I’m having is that through my
tests, it’s become obvious that this can create a security risk.

Have a look at liquid templates (http://www.liquidmarkup.org/) , they
were designed with that in mind.

Fred