| CARVIEW |
Every repository with this icon (
) is private.
Every repository with this icon (
) is public.
| Description: | A library for safe evaluation of Ruby code based on ParseTree/RubyParser and Ruby2Ruby. Provides Rails ActionView template handlers for ERB and Haml. |
| Homepage: | https://www.artweb-design.de |
| Clone URL: |
git://github.com/svenfuchs/safemode.git
Give this clone URL to anyone.
git clone git://github.com/svenfuchs/safemode.git
|
| Search Repo: |
| name | age | message | |
|---|---|---|---|
 |
LICENCSE | Tue Apr 29 06:41:54 -0700 2008 | Initial commit [svenfuchs] |
| |
README.markdown | Tue Apr 29 07:59:42 -0700 2008 | Markdown formatting in README [svenfuchs] |
| |
demo.rb | Tue Apr 29 06:41:54 -0700 2008 | Initial commit [svenfuchs] |
| |
init.rb | Sat May 03 09:48:05 -0700 2008 | patch ActionView to allow conditional template ... [svenfuchs] |
 |
lib/ | Sat May 03 12:28:41 -0700 2008 | add optional parameters filename and line to Sa... [svenfuchs] |
| |
test/ | Tue Apr 29 06:41:54 -0700 2008 | Initial commit [svenfuchs] |
Safemode
A library for safe evaluation of Ruby code based on ParseTree/RubyParser and Ruby2Ruby. Provides Rails ActionView template handlers for ERB and Haml.
Word of warning
This library is still highly experimental. Only use it at your own risk for anything beyond experiments and playing.
That said, please *do* play with it, read and run the unit tests and provide feedback to help make it waterproof and finally suitable for serious purposes.
Usage
For manual evaluation of Ruby code and ERB templates see demo.rb
You can use the ActionView template handlers by registering them, e.g., in a config/initializer file like so:
# in config/intializer/safemode_tempate_handlers.rb
ActionView::Base.register_template_handler :serb, ActionView::TemplateHandlers::SafeErb
ActionView::Base.register_template_handler :haml, ActionView::TemplateHandlers::SafeHaml
If you register the ERB template handler for the file extension :erb be aware that this most probably will break when your application tries to render an error message in development mode (because Rails will try to use the handler to render the error message itself).
You will then have to "whitelist" all method calls to the objects that are registered as template variables by explicitely allowing access to them. You can do that by defining a Safemode::Jail class for your classes, like so:
class User
class Jail < Safemode::Jail
allow :name
end
end
This will allow your template users to access the name method on your User objects.
For more details about the concepts behind Safemode please refer to the following blog posts until a more comprehensive writeup is available:
- Initial reasoning: https://www.artweb-design.de/2008/2/5/sexy-theme-templating-with-haml-safemode-finally
- Refined concept: https://www.artweb-design.de/2008/2/17/sending-ruby-to-the-jail-an-attemp-on-a-haml-safemode
- ActionView ERB handler: https://www.artweb-design.de/2008/4/22/an-erb-safemode-handler-for-actionview
Dependencies
Requires the gems:
- either ParseTree or RubyParser
- Ruby2Ruby
RubyParser has the advantage of being pure Ruby and not having any further system dependencies while ParseTree is is a C extension that uses RubyInline.
As of writing RubyParser alters StringIO and thus breaks usage with Rails. See https://www.zenspider.com/pipermail/parsetree/2008-April/000026.html
A patch is included that fixes this issue and can be applied to RubyParser. See lib/ruby_parser_string_io_patch.diff
Credits
- Sven Fuchs - Maintainer
- Peter Cooper
This code and all of the Safemode library's code was initially written by Sven Fuchs to allow Haml to have a safe mode. It was then modified and re-structured by Peter Cooper and Sven Fuchs to extend the idea to generic Ruby eval situations.
