Your script/console line shouldn't run the silent script. It doesn't on
my computer. What version of Haml are you using?
- Nathan
jbc wrote:
> So, I was thinking of using haml as the actual markup language for the
> wiki-like-thing I'm building in rails. The syntax is simple and
> beautiful, and encourages people to use css styling rather than trying
> to do it by hand - which is good.
>
> But of course, I don't want people doing Bad Things in evaled code. In
> fact, I don't want them to do *anything*.
>
> So, I had thought that
>
> <in app/views/thing/show.haml>
> #postbody= Haml::Engine.new(@post.body, :suppress_eval => true)
>
> would do the trick.
>
> But lo, basic testing from script/console would seem to put the lie to
> that:
>
> Haml::Engine.new('- puts File.read "/home/me/myApp/app/controllers/
> thing_controller.rb"', :suppress_eval => true).render
> => "class ThingController < ApplicationController\n...
>
> This is bad.
>
> How am I fundamentally misunderstanding the meaning of "suppress
> eval"? What *does* it do?
>
> Apart from some tortuous gsubbing, is there no way to render the thing
> user-safe?
>
>
> >
>
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Haml" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/haml?hl=en
-~----------~----~----~----~------~----~------~--~---
