No commit activity in last 3 years
No release in over 3 years
Process ERB fragments in a String, according to variables hash, no extenal vars are visible to ERB, safe level and untainting of string can be set
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Dependencies

Development

~> 1.0.0
~> 1.6.4
>= 0
~> 2.3.0
 Project Readme

string_parse_erb¶ ↑

Say you design a CMS, and you want the ability to replace some place-holders inside an item-content with some external values.

Of course, you can use regular expressions and friends to do the task.

But why not use the power of ERB engine instead ?

Implementing ERB fragments inside your content can open up wide array of possibilities, all of the sudden you get the power of ruby inside you content: not just variables-replacement but conditionals, loops and so on..

The downside of this is security…

  • You wouldn’t want to process an item-content with something like:

    "The time now is <%= time %>. Say bye bye... <% system('shutdown -r now') %>"

    While ‘time’ may be a legal variable to be used inside the item-content template, calling #system should definitely be forbidden.

  • You would like to limit the ‘binding’ object passed to ERB, so it includes only the variables you wish to expose, and not any variable happen to be in the program’s context.

The solution taken by this gem is very simple, (and so may not be perfect), and discussed in a couple of posts like: stackoverflow.com/questions/3619516/how-do-you-mark-a-ruby-binding-as-trusted

Installation¶ ↑

  • gem install string_parse_erb

  • include of extend StrParseErb module

  • string_parse_erb(template, var_hash, safe_level=4) Where:

    • template - a string containing erb fragments

    • var_hash - A hash of variables and their values to be exposed for template usage

    • safe_level(defaults to 4) - ruby SAFE level, under which ERB will operate

Examples¶ ↑

string_parse_erb(
           "Good <%= part_of_day %>, the time is <%= time %>.",
           {:part_of_day => "morning", :time => "six o'clock"}
 )
 # =>  "Good morning, the time is six o'clock."

 string_parse_erb( "<%= abort %>", {})
 # => Raises SecurityError Exception

Copyright © 2011 Nadav Blum. See LICENSE.txt for further details.