On Sep 11, 2005, at 12:29 PM, Devin Mullins wrote:

> Bob Hutchison wrote:
>
>
>> On Sep 11, 2005, at 9:58 AM, Bob Hutchison wrote:
>>
>>
>>> That one change is from:
>>>
>>>
>>>>         "puts #{line.chomp.dump}\n"
>>>>
>>>
>>> to:
>>>     "puts \"#{line.chomp}\"\n"
>>> (just added the quotes).
>>>
>>
>> and lost the dump
>>
>
> And broke it.
>   | blah = 42
>   Hello. I'm an evil template. ", `rm -rf /`, "I advise against  
> running me as root.
>
> Devin
>

Broke it? Nah, it was already 'broken'. And anyway, that's what I  
wanted to do, and really would've 'broken' it to achieve that :-)

If you want safe, you can't be executing code in a template at all.  
That includes the lines beginning with "|". For example:

| system("ls -lt") # that could be "rm -rf /"

It gives you a warning, but you'll be reading that just a little late.

Seriously though, this is exactly what I want to be able to do.  
Personally, I don't need something safe. The same people using the  
software I'm working on have access to a command line, they don't  
need to go through all that trouble to screw themselves up.

I have a code generation problem, and this looks to address my  
requirements very well.

I also have general template requirements, I won't be using this  
because those users don't necessarily know a lot about programming  
(and if they don't already know won't be looking to learn just to use  
my software :-) I'll look elsewhere for a solution to that.

Cheers,
Bob

----
Bob Hutchison          -- blogs at <http://www.recursive.ca/hutch/>
Recursive Design Inc.  -- <http://www.recursive.ca/>
Raconteur              -- <http://www.raconteur.info/>