FlavourSaver icon indicating copy to clipboard operation
FlavourSaver copied to clipboard
verified publisher icon FlavourSaver

Safe views

Open raphaelcosta opened this issue 11 years ago • 2 comments

Is it possible to implement safe views like Tache? https://github.com/thelucid/tache/blob/master/lib/tache/safe.rb

raphaelcosta avatar Jun 24 '14 19:06 raphaelcosta

Can you explain what this feature is?

jimsynz avatar Jun 24 '14 23:06 jimsynz

Tache's safe views prevent you from being able to do this:

template = Tilt['handlebars'].new { "Hello {{planet.inspect}}" }
data = OpenStruct.new planet: 'World'
template.render data
=> "Hello #<FlavourSaver::Helpers::Decorator:0x007fe1ecccf4b8 @source="World">"

This is done so templates can "be edited by end users, without the risk jeopardising your application's security...calls to potentially destructive methods such as 'eval' or 'destroy' are ignored."

Though I'm not sure how you could get an eval from a template. In it's current state, are FlavourSaver templates safe to be edited by end users?

christiangenco avatar Jan 30 '15 21:01 christiangenco