I want to build a system where I can let users write templates that allow read access to Rails objects within and then send these templates out to customers via email. The problem I'm having is that through my tests, it's become obvious that this can create a security risk.
Example: A customer could put text into their template such as: @customers = Customer.find(:all) @customers.each do |c| c.destroy end inside the ERB template and when I call it to render the results like this: # Render Template @text = ERB.new(lbt.body_content).result(binding) It will execute the above command and erase all the customers from the database. All I really want people to be able to do is parse variables I hand into the template, not actually load Rails objects and make changes. That way I can specify and pre-populate what they have access to and plug that security issue. Does any one know the best way to do this? I'm assuming there are other ERB command I can use to render, but I can't seem to find it. Thanks - Jesse -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---