On Sep 11, 2005, at 12:29 PM, Devin Mullins wrote: > Bob Hutchison wrote: > > >> On Sep 11, 2005, at 9:58 AM, Bob Hutchison wrote: >> >> >>> That one change is from: >>> >>> >>>> "puts #{line.chomp.dump}\n" >>>> >>> >>> to: >>> "puts \"#{line.chomp}\"\n" >>> (just added the quotes). >>> >> >> and lost the dump >> > > And broke it. > | blah = 42 > Hello. I'm an evil template. ", `rm -rf /`, "I advise against > running me as root. > > Devin > Broke it? Nah, it was already 'broken'. And anyway, that's what I wanted to do, and really would've 'broken' it to achieve that :-) If you want safe, you can't be executing code in a template at all. That includes the lines beginning with "|". For example: | system("ls -lt") # that could be "rm -rf /" It gives you a warning, but you'll be reading that just a little late. Seriously though, this is exactly what I want to be able to do. Personally, I don't need something safe. The same people using the software I'm working on have access to a command line, they don't need to go through all that trouble to screw themselves up. I have a code generation problem, and this looks to address my requirements very well. I also have general template requirements, I won't be using this because those users don't necessarily know a lot about programming (and if they don't already know won't be looking to learn just to use my software :-) I'll look elsewhere for a solution to that. Cheers, Bob ---- Bob Hutchison -- blogs at <http://www.recursive.ca/hutch/> Recursive Design Inc. -- <http://www.recursive.ca/> Raconteur -- <http://www.raconteur.info/>