I want to allow users to create mail templates through an administration
page. I store the email body as text in the database, and now I want to
take the string, and treat it like an email template and send as mail.
So for instance, if something like this is in the database:
email_templates
id | text
1 | Hello #{@user.name}! This is an email
...
Then I’d like to do this:
template = EmailTemplate.find(1)
user = User.find(1)
MyMailer.deliver_some_mail(template.text, user)
While this is pretty easy with the ERB library and its rendering, it’s
also
very dangerous. You’ll need to build a whitelist of what you’ll let them
do.
“Hello #{User.delete_all}”
Never let anyone arbitrarily monkey with your code or data.
Instead, make your own parser or look at how some of the CMS tools like
Radiant do things like this.
While this is pretty easy with the ERB library and its rendering, it’s
also
very dangerous. You’ll need to build a whitelist of what you’ll let them
do.
“Hello #{User.delete_all}”
Never let anyone arbitrarily monkey with your code or data.
Instead, make your own parser or look at how some of the CMS tools like
Radiant do things like this.
On Tue, Oct 14, 2008 at 3:46 PM, Christian J. <
Yup, I’m very aware of the safety implications. Basically this will be
available to people who have access to the code as well, but it makes
this task a bit easier. I’ll look up simpler parsing that’ll just allow
for looking up properties on a single object or something like that.
Thanks!
On Tue, Oct 14, 2008 at 2:29 PM, Christian J. [email protected] wrote:
Yup, I’m very aware of the safety implications. Basically this will be
available to people who have access to the code as well, but it makes
this task a bit easier. I’ll look up simpler parsing that’ll just allow
for looking up properties on a single object or something like that.
On Tue, Oct 14, 2008 at 2:29 PM, Christian J. [email protected] wrote:
Yup, I’m very aware of the safety implications. Basically this will be
available to people who have access to the code as well, but it makes
this task a bit easier. I’ll look up simpler parsing that’ll just allow
for looking up properties on a single object or something like that.
On Tue, Oct 14, 2008 at 2:29 PM, Christian J. [email protected] wrote:
Yup, I’m very aware of the safety implications. Basically this will be
available to people who have access to the code as well, but it makes
this task a bit easier. I’ll look up simpler parsing that’ll just allow
for looking up properties on a single object or something like that.