Include rails code in html

Can I include rails tags in html text in the db? Or perhaps include a
code like [=include_this_page] and do a find replace on that with <%=
render :partial =>‘include_this_page’ %> before output on the page?

Pål Bergström wrote:

Can I include rails tags

You mean ERb tags?

in html text in the db?

Yes (they’re just text), but you don’t want to:
<% User.delete_all %>

Or perhaps include a
code like [=include_this_page] and do a find replace on that with <%=
render :partial =>‘include_this_page’ %> before output on the page?

What exactly are you trying to do?

Best,

Marnen Laibow-Koser
http://www.marnen.org
[email protected]

Marnen Laibow-Koser wrote:

Pål Bergström wrote:

What exactly are you trying to do?

If I have text fetched from the db, how can I keep rails-code in there
and have it processed by Rails? Example:

This is some text from the db and <%= render partial => 'text' %>

Pål Bergström wrote:

Marnen Laibow-Koser wrote:

Pål Bergström wrote:

What exactly are you trying to do?

If I have text fetched from the db, how can I keep rails-code in there
and have it processed by Rails? Example:

This is some text from the db and <%= render partial => 'text' %>

As I explained in my earlier post, allowing execution of arbitrary Ruby
from the DB is horrendously dangerous – don’t do it! If you want
partials, use a limited template language. Radius is popular, or you
can create your own with something like Treetop.

Best,

Marnen Laibow-Koser
http://www.marnen.org
[email protected]

[Please interleave your reply with the quoted text. It will be easier
to follow.]

Pål Bergström wrote:

Marnen Laibow-Koser wrote:

As I explained in my earlier post, allowing execution of arbitrary Ruby
from the DB is horrendously dangerous – don’t do it! If you want
partials, use a limited template language. Radius is popular, or you
can create your own with something like Treetop.

It is? Why?

Have you read my earlier posts in this thread? Did you notice the
example I gave? Do you not understand the danger?

Ok, but my question was not addressed. How do you do it?

Your question was addressed. What specifically don’t you understand?

Best,

Marnen Laibow-Koser
http://www.marnen.org
[email protected]

Marnen Laibow-Koser wrote:

As I explained in my earlier post, allowing execution of arbitrary Ruby
from the DB is horrendously dangerous – don’t do it! If you want
partials, use a limited template language. Radius is popular, or you
can create your own with something like Treetop.

It is? Why?

Ok, but my question was not addressed. How do you do it?

Pål Bergström wrote:

Marnen Laibow-Koser wrote:

[Please interleave your reply with the quoted text. It will be easier
to follow.]

I thank you for your help but please don’t bother to answer with that
attitude.

What attitude? I had trouble understanding what you were replying to,
and I gave you a suggestion for how to make your replies more
comprehensible.

That is not welcome in any forum, trust me.
You often try to
make things more complex than they are.

I don’t think that’s true at all, but true or not, it is not relevant to
your question.

I had a simple question, that’s
all. :slight_smile:

And I gave you a simple answer. Apparently you didn’t understand the
answer. I’ll be happy to clarify it, but you have to make clear what
part you didn’t understand. If you can’t bother to do that, don’t
expect useful answers.

Best,

Marnen Laibow-Koser
http://www.marnen.org
[email protected]

Marnen Laibow-Koser wrote:

[Please interleave your reply with the quoted text. It will be easier
to follow.]

I thank you for your help but please don’t bother to answer with that
attitude. That is not welcome in any forum, trust me. You often try to
make things more complex than they are. I had a simple question, that’s
all. :slight_smile:

Pål Bergström wrote:

Marnen Laibow-Koser wrote:

[Please interleave your reply with the quoted text. It will be easier
to follow.]

I thank you for your help but please don’t bother to answer with that
attitude. That is not welcome in any forum, trust me. You often try to
make things more complex than they are. I had a simple question, that’s
all. :slight_smile:

Marnen is trying to help you. He answered your question clearly, and
concisely, when he said, “Yes (they’re just text)…” He also offered
you some VERY good advice with, “…, but you don’t want to:” And even
offered a perfectly clear example of why it’s so dangerous with, “<%
User.delete_all %>”.

I personally don’t blame him at all for his tone in the followup
replies.

Robert W. wrote:

Pål Bergström wrote:

Marnen is trying to help you. He answered your question clearly, and
concisely, when he said, “Yes (they’re just text)…” He also offered
you some VERY good advice with, “…, but you don’t want to:” And even
offered a perfectly clear example of why it’s so dangerous with, “<%
User.delete_all %>”.

I personally don’t blame him at all for his tone in the followup
replies.

I don’t see it that way, as this has happened before, sorry to say.

"It is? Why?

Ok, but my question was not addressed. How do you do it?"

I didn’t see a straight answer.

There is a fine line on how to be helpful and how to be helpful with an
“attitude”. I visit and use several forums during the day and I think
it’s a common understanding on where that line goes and how to preserve
a good climat. I don’t judge him just letting him know that he crossed
the line a bit to often. That’s all :slight_smile:

Marnen Laibow-Koser wrote:

Pål Bergström wrote:
[…]

"It is? Why?

Ok, but my question was not addressed. How do you do it?"

I didn’t see a straight answer.

I didn’t see a straight question. I still haven’t seen a straight
question: what does “how do you do it?” refer to?

I left out a sentence when I typed this. After that paragraph, put the
following:

If you tell me what you’re missing, I’ll be happy to clarify.

[…]


Marnen Laibow-Koser
http://www.marnen.org
[email protected]

Marnen Laibow-Koser wrote:

As I explained in my earlier post, allowing execution of arbitrary Ruby
from the DB is horrendously dangerous – don’t do it!

Ok, I’ll try again :slight_smile:

Why?

Pål Bergström wrote:
[…]

"It is? Why?

Ok, but my question was not addressed. How do you do it?"

I didn’t see a straight answer.

I didn’t see a straight question. I still haven’t seen a straight
question: what does “how do you do it?” refer to?

There is a fine line on how to be helpful and how to be helpful with an
“attitude”. I visit and use several forums during the day

So do I.

and I think
it’s a common understanding on where that line goes and how to preserve
a good climat.

Apparently not.

I don’t judge him just letting him know that he crossed
the line a bit to often. That’s all :slight_smile:

I don’t agree. Apparently, neither does Robert.

Best,

Marnen Laibow-Koser
http://www.marnen.org
[email protected]

Pål Bergström wrote:

Marnen Laibow-Koser wrote:

As I explained in my earlier post, allowing execution of arbitrary Ruby
from the DB is horrendously dangerous – don’t do it!

Ok, I’ll try again :slight_smile:

Why?

(I’m assuming at this point that you didn’t understand the thrust of my
example.)

Because it basically allows the user full access to inject arbitrary
code into your application. Sure, it would be nice to let the user
store

My address:

<%= render :partial => 'address' %>

in the database, and run it through ERb as if it were a Rails template.

Unfortunately, there’s no easy way to sandbox this. Instead of storing
the above in the database, the user could store

My address contains a nice surprise for PÃ¥l...

<% User.delete_all %>

When it gets run through ERb, the code between <% %> gets executed, and
you know the rest.

The remedy is very simple: never allow your users to inject arbitrary
Ruby code into your application. Radius is tailor-made for this sort of
thing – it was designed for the Radiant CMS. It can include partials,
it can display information about the page context that it’s running in,
it can do simple conditional logic – but it can’t screw with things
it’s not supposed to. This is the sort of template language you should
be using.

Again: there is no excuse for allowing users free rein to store
arbitrary executable code in your database, unless you have a suitable
sandbox in place (hint: it isn’t easy, and it’s probably not worth
doing). If you disregard this advice, and one of your users does
something malicious, you deserve every bit of what you get. :slight_smile:

Is that clearer? This question comes up surprisingly frequently on the
list.

Best,

Marnen Laibow-Koser
http://www.marnen.org
[email protected]

Pål Bergström wrote:

Marnen Laibow-Koser wrote:

Unfortunately, there’s no easy way to sandbox this. Instead of storing
the above in the database, the user could store

My address contains a nice surprise for PÃ¥l...

<% User.delete_all %>

That I know and understand.

I can’t add this <%= @variable %> directly in a text column, can I?

Why not? It’s just text. Again, though, anywhere you can have <%=
@variable %>, you can also have <% User.delete_all %>

This question comes up surprisingly frequently on the
list.

I couldn’t find an answer, that’s why I asked. Thanks for the
clarification, and I hope my clarification of my reaction is helpful.
You assumed it’s for any user.

Yes, because I doubt that you’d be storing it in the database otherwise.
If it’s not user-generated, it’s just going to be in app/views, right?

It’s not.

OK. So…what is your use case?

I didn’t mean to be rude but
this is what we normally mean of having “an attitude”, changing the
question and making assumptions.

I didn’t change the question AFAIK. I gave the best answer I could with
the (meager) information you supplied.

If you want better answers in future, ask better questions. :slight_smile: That
means supplying more information about what you’re trying to do. The
obvious way to do something is not always the best.

And give sort of an answer, but not for
what was the first question. Do you understand? I just asked how to do
it.

No, I don’t understand. If I see someone about to implement what looks
like a bad idea, I will tell them that. It wouldn’t be fair to do
otherwise.

Best,

Marnen Laibow-Koser
http://www.marnen.org
[email protected]

Marnen Laibow-Koser wrote:

No, I don’t understand. If I see someone about to implement what looks
like a bad idea, I will tell them that. It wouldn’t be fair to do
otherwise.

You can tell them and answer the question at the same time. That’s fair
:slight_smile:

Marnen Laibow-Koser wrote:

Unfortunately, there’s no easy way to sandbox this. Instead of storing
the above in the database, the user could store

My address contains a nice surprise for PÃ¥l...

<% User.delete_all %>

That I know and understand.

I can’t add this <%= @variable %> directly in a text column, can I?

This question comes up surprisingly frequently on the
list.

I couldn’t find an answer, that’s why I asked. Thanks for the
clarification, and I hope my clarification of my reaction is helpful.
You assumed it’s for any user. It’s not. I didn’t mean to be rude but
this is what we normally mean of having “an attitude”, changing the
question and making assumptions. And give sort of an answer, but not for
what was the first question. Do you understand? I just asked how to do
it.

Pål Bergström wrote:

Marnen Laibow-Koser wrote:

No, I don’t understand. If I see someone about to implement what looks
like a bad idea, I will tell them that. It wouldn’t be fair to do
otherwise.

You can tell them and answer the question at the same time. That’s fair
:slight_smile:

In this case, no. I don’t spoon-feed answers in general (though I’m not
rigid about that), and I especially refuse to do so when the answer is
dangerous – as in this case. If you have a modicum of understanding of
Ruby, you probably (1) already know (or be able to quickly figure out)
how to implement what you’re asking (it’s pretty straightforward), and
(2) understand why it’s a terrible idea and you should never do it. If
you don’t have that level of understanding, then you aren’t ready to do
something this dangerous.

Best,

Marnen Laibow-Koser
http://www.marnen.org
[email protected]

Marnen Laibow-Koser wrote:

, then you aren’t ready to do
something this dangerous.

Like I said, you definitely have an attitude problem that’s normally not
well seen in many forums. Thanks for the effort, but I still don’t have
an answer for my simple question.

Anyone else?

Pål Bergström wrote:

Marnen Laibow-Koser wrote:

, then you aren’t ready to do
something this dangerous.

Like I said, you definitely have an attitude problem

I don’t believe I do. Most people in this forum don’t take kindly to
people who:
(1) insist on doing dangerous things
(2) ask sketchy questions with insufficient information
(3) can’t figure out answers even after they have all the information
(4) don’t take the time to understand the explanations they’re given
(5) complain that others have attitude problems

that’s normally not
well seen in many forums.

This is typical behavior for the programming forums I’ve been in. I do
not believe I’ve said anything even slightly out of line.

Thanks for the effort, but I still don’t have
an answer for my simple question.

Yes you do. Read and understand this thread. You have several
suggestions from me. You may not like them, but they are there. Don’t
ignore advice just because it’s unpalatable.

I literally did everything but post completed code for you.

Anyone else?

Best,

Marnen Laibow-Koser
http://www.marnen.org
[email protected]