On Aug 18, 2005, at 11:49 PM, Jamal Hansen wrote:
> Well enough talk; how safe is the following code?  Assuming that the
> input was passed in from the web rather than a gets.  Also, is there a
> better way of doing something like this?  Thanks in advance for your
> input.  -Jamal

My Ruby security knowledge is lacking, so i can't directly answer  
your question. As for the 'better way' aspect, however, I think that  
using ERB is a 'better' solution than using a later eval. (You can  
also specify $SAFE level for the ERB eval during the ERB  
constructor.) It may depend on what you mean by 'better', however.