As of r606, Haml trunk caches templates based on options as well as the
template text.
- Nathan
jbc wrote:
> Awesome!
>
> Thanks - it's really appreciated.
>
> On Sep 19, 8:33 am, Nathan Weizenbaum <[EMAIL PROTECTED]> wrote:
>
>> I think I see the issue. Haml caches templates so that it can render the
>> same template multiple times more efficiently. However, changing the
>> options /does not/ clear the cache; thus, if you've already run a
>> template with :suppress_eval not set, and then you run it again with
>> :suppress_eval set, it won't work. This is a bug; I'll work on fixing it.
>>
>> This does mean, though, that you're safe to use :suppress_eval to take
>> user input. The only way they'll be able to execute code is if they
>> insert a string identical to one of of your server-side templates, and
>> then it shouldn't be able to do any harm.
>>
>> - Nathan
>>
>> jbc wrote:
>>
>>> % less vendor/plugins/stable/VERSION
>>> 1.7.1
>>>
>>> There's definitely something very weird going on - I might try
>>> reinstalling the plugin.
>>>
>>>>> Haml::Engine.new("- puts 'hello'", :suppress_eval => true).render
>>>>>
>>> => ""
>>>
>>>>> Haml::Engine.new("- puts 'hello'", :suppress_eval => false).render
>>>>>
>>> => ""
>>> (the File.Read line was from the same session)
>>>
>>>>> Haml::Engine.new("= puts 'hello'*3", :suppress_eval => false).render
>>>>>
>>> => "hellohellohello\n\n"
>>>
>>>>> Haml::Engine.new("= puts 'hello'*3", :suppress_eval => true).render
>>>>>
>>> => "hellohellohello\n\n"
>>>
>>> And the haml tests ran with no errors.
>>>
>>> If this is not expected behaviour, then at least I'm not going
>>> insane.
>>>
>>> I'm something of a rails noob, btw, so I can easily be missing
>>> something terribly obvious.
>>>
>>> (also, is it meant to sit under plugins/stable? Seems odd...)
>>>
>>> Thanks for the help!
>>>
>>> On Sep 19, 1:40 am, Nathan Weizenbaum <[EMAIL PROTECTED]> wrote:
>>>
>>>> Your script/console line shouldn't run the silent script. It doesn't on
>>>> my computer. What version of Haml are you using?
>>>>
>>>> - Nathan
>>>>
>>>> jbc wrote:
>>>>
>>>>> So, I was thinking of using haml as the actual markup language for the
>>>>> wiki-like-thing I'm building in rails. The syntax is simple and
>>>>> beautiful, and encourages people to use css styling rather than trying
>>>>> to do it by hand - which is good.
>>>>>
>>>>> But of course, I don't want people doing Bad Things in evaled code. In
>>>>> fact, I don't want them to do *anything*.
>>>>>
>>>>> So, I had thought that
>>>>>
>>>>> <in app/views/thing/show.haml>
>>>>> #postbody= Haml::Engine.new(@post.body, :suppress_eval => true)
>>>>>
>>>>> would do the trick.
>>>>>
>>>>> But lo, basic testing from script/console would seem to put the lie to
>>>>> that:
>>>>>
>>>>> Haml::Engine.new('- puts File.read "/home/me/myApp/app/controllers/
>>>>> thing_controller.rb"', :suppress_eval => true).render
>>>>> => "class ThingController < ApplicationController\n...
>>>>>
>>>>> This is bad.
>>>>>
>>>>> How am I fundamentally misunderstanding the meaning of "suppress
>>>>> eval"? What *does* it do?
>>>>>
>>>>> Apart from some tortuous gsubbing, is there no way to render the thing
>>>>> user-safe?
>>>>>
>
>
> >
>
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Haml" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/haml?hl=en
-~----------~----~----~----~------~----~------~--~---
