string_parse_erb

Say you design a CMS, and you want the ability to replace some place-holders inside an item-content with some external values.

Of course, you can use regular expressions and friends to do the task.

But why not use the power of ERB engine instead ?

Implementing ERB fragments inside your content can open up wide array of possibilities, all of the sudden you get the power of ruby inside you content: not just variables-replacement but conditionals, loops and so on..

The downside of this is security…

  • You wouldn’t want to process an item-content with something like:

    "The time now is <%= time %>. Say bye bye... <% system('shutdown -r now') %>"

    While ‘time’ may be a legal variable to be used inside the item-content template, calling #system should definitely be forbidden.

  • You would like to limit the ‘binding’ object passed to ERB, so it includes only the variables you wish to expose, and not any variable happen to be in the program’s context.

The solution taken by this gem is very simple, (and so may not be perfect), and discussed in a couple of posts like: stackoverflow.com/questions/3619516/how-do-you-mark-a-ruby-binding-as-trusted

Installation

  • gem install string_parse_erb

  • include of extend StrParseErb module

  • string_parse_erb(template, var_hash, safe_level=4) Where:

    • template - a string containing erb fragments

    • var_hash - A hash of variables and their values to be exposed for template usage

    • safe_level(defaults to 4) - ruby SAFE level, under which ERB will operate

Examples

string_parse_erb(
           "Good <%= part_of_day %>, the time is <%= time %>.",
           {:part_of_day => "morning", :time => "six o'clock"}
 )
 # =>  "Good morning, the time is six o'clock."

 string_parse_erb( "<%= abort %>", {})
 # => Raises SecurityError Exception

Copyright © 2011 Nadav Blum. See LICENSE.txt for further details.