instance, one of my pages has an image_tag helper method in it that
doesn’t work.
You could try messing with render :inline, or I suppose call Erb
directly
Is this a secure way to do this? Am I creating a security
vulnerability by organizing my content this way?
Well the user could upload <% system(“rm -rf/”) %> or <%
ActiveRecord::Base.connection.execute(“delete all from foos”)%> so no,
not very safe.
You might be interested in liquid (http://www.liquidmarkup.org/) a
templating language that was designed with that sort of problem in mind.
Thanks, Fred. The ability to edit the SQL is behind a hashed login.
So the set of users looking at this would not type in something like
that. Although I suppose even leaving that possibility open isn’t a
good practice.
Liquid markup looks really interesting. I’ll have to try that out.