can I store haml code in the database?

[Patrick Aljord]

is it possible to store some haml code in the database and then
display it in a view?

[Mislav Marohnić]

On 10/3/07, Patrick Aljord <pat...@gmail.com> wrote:

is it possible to store some haml code in the database and then
display it in a view?

For sure. You have to render the code manually, though:

  engine = Haml::Engine.new("%p Haml code!")

  engine.render
  #=> "<p>Haml code!</p>\n"

(copy/paste from http://haml.hamptoncatlin.com/docs/haml)

[Jeff Casimir]

One of these days when I get my task list down I want to implement a
way to sandbox the HAML rendering so you could allow users to
write/store/render HAML views without risk to the underlying data &
system.

- Jeff

[Patrick Aljord]

On 10/3/07, Jeff Casimir <je...@casimircreative.com> wrote:
> One of these days when I get my task list down I want to implement a
> way to sandbox the HAML rendering so you could allow users to
> write/store/render HAML views without risk to the underlying data &
> system.
>

what risk are there?

[Jeff Casimir]

Such as...

%h1 Innocently Printing...
%p
HAML is Great...and now for destruction!
= "KaBLAM!" if User.find(:all).each{|u| u.destroy}

On 10/3/07, Patrick Aljord <pat...@gmail.com> wrote:
>

[Mislav Marohnić]

On 10/3/07, Jeff Casimir <je...@casimircreative.com> wrote:

Such as...

%h1 Innocently Printing...
%p
  HAML is Great...and now for destruction!
  = "KaBLAM!" if User.find(:all).each{|u| u.destroy}

And even if you don't use Rails, users can -- through Ruby code -- gain access to your system.

If you allow users to edit and store Haml templates on your site, always use suppress_eval when rendering those templates.

[Nathan Weizenbaum]

Or use the freaky freaky sandbox: http://code.whytheluckystiff.net/sandbox/.

- Nathan

Mislav Marohnić wrote:
> On 10/3/07, *Jeff Casimir* <je...@casimircreative.com