Forum: Ruby on Rails ERB templates in the database

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
B6ee5548c50b5d76c27bd342f4a6c1a7?d=identicon&s=25 fredd (Guest)
on 2009-03-18 18:38
(Received via mailing list)
Hi, I am currently developing a small cms in Rails. I decided recently
that I need to store both the content and the presentation template in
the database for flexibility. The system is based heavily on content
blocks and I need different templates for the same content block in
different contexts. Anyone has a good advice on how to solve that
technically? I now how to render a erb template inline, but how do I
solve things like protecting some methods on objects like "destroy"
and so on. I have looked into other template languages that offer some
degree of protection like Radius and Liquid, but I like the fact that
ERB is bundled with Ruby and Rails already uses it, why reinvent the
wheel.

Cheers
Fredrik
Ad97d898eefbb44ba50c07ee8554781b?d=identicon&s=25 Richard Mcintyre (mackstar)
on 2009-03-19 06:10
(Received via mailing list)
I see what you are saying but question that by storing erb templates
in the DB would eventually become less flexible at some point in the
future??

I can see why it could and why it couldn't...

Would not using partials separated into directories by namespace's not
work?

I guess this depends on how many templates you are looking at..., have
you tried a protoype of a db driven one? What were your results?

You could always have the DB output to files in the rails system on
demand? Maybe you write a model that doesn't write to DB but instead
outputs to create the ERB files in the rails application's view
folder...

Sorry maybe not so much help, but if it was me I would try the last
option...

I would also try and avoid the need for this as much as possible by
good usage of layouts and css which I am currently using on a CMS
system...
81b61875e41eaa58887543635d556fca?d=identicon&s=25 Frederick Cheung (Guest)
on 2009-03-19 11:45
(Received via mailing list)
On Mar 18, 5:24 pm, fredd <fredrik.marten...@gmail.com> wrote:
> wheel.
Because erb is not designed to be safe and liquid is. You'll have a
really hard time preventing people doing bad stuff from erb. I've
never really seen rails up use ruby's safe levels and at least for C
ruby there's not really a production ready sandbox that you could use.
Why reinvent the wheel trying to make erb safe when people have
already come up with things like liquid ?

Fred
B6ee5548c50b5d76c27bd342f4a6c1a7?d=identicon&s=25 fredd (Guest)
on 2009-03-24 18:40
(Received via mailing list)
Thanks for the replies! I am slow to respond due to vacation and
stuff:)

It defenently sounds like a good idea to have the model output erb-
templates into the file system, I will look into that. But maybe ERB
is not safe to use at all if you want the users to alter the templates
on the fly (like in my cms). I think I have to look into Liquid and
Radius a bit more. The thing I have against it though is that you have
to re-implement common view helpers. I also think it's quite hard to
do control structures in these languages.
3d333b0012928f3dd5a6861cb09ad683?d=identicon&s=25 Kris Leech (krisleech)
on 2009-07-08 13:15
I've been looking in to rendering safe templates recently. There are a
few options I have been exploring...

1.) JRuby Sandbox
- There is a recent video presentation knocking about that is worth
checking (I couldn't find it via Google)

2.) Safemode http://github.com/svenfuchs/safemode/tree/master
- I recently spoke to Sven and he is picking the project back up shortly

Personally I would like to allow designers to FTP up templates which are
rendered in a safe manner.



PS. My email address has changed add a dot between first/last names.
This topic is locked and can not be replied to.