防止在HAML中执行ruby代码

Is there a way to prevent certain Ruby code from being executed in HAML?

有什么方法可以阻止某些Ruby代码在HAML中执行吗?

The problem I am having is the following: Users are allowed to setup their own HAML files in a CMS environment. I want to allow IF/ELSE and LOOPS within these files, but other ruby code shouldn't be executed for security reasons.

我遇到的问题是:允许用户在CMS环境中设置自己的HAML文件。我想在这些文件中允许IF/ELSE和循环，但是其他ruby代码不应该出于安全考虑而被执行。

Do I have to scan the custom HAML files for ruby code and delete that or is there a better solution?

我是否需要扫描自定义的HAML文件以获得ruby代码并删除它，或者是否有更好的解决方案?

Thanks for any kind of help!

谢谢你的帮助!

Greg

格雷格

3 个解决方案

#1

It sounds like you're looking for some kind of sandbox for templates like this. I can't speak to the results you might get using this library. They do say that it is still experimental, but it looks like a good place to start. If nothing else, you may be able to use their code as a guide for scrubbing your haml.

听起来好像您正在寻找类似这样的模板的沙箱。我无法告诉你使用这个库可能得到的结果。他们的确说它仍处于试验阶段，但看起来是一个很好的起点。如果没有别的，您可以使用它们的代码作为清除haml的指南。

#2

I don't think you do, at least not for HAML.

我认为你不会，至少哈默不会。

There are other view libraries for Ruby meant to be end-user safe. For example, Cerubis, or Liquid.

Ruby还有其他的视图库，目的是确保最终用户的安全。例如，Cerubis，或液体。

#3

One alternative possibility would be to interpret your HAML client-side using something like haml.js. In this way there's no chance of contaminating your server via injection or other security holes while still providing access to looping constructs and logic through Javascript.

另一种可能是使用类似于HAML .js的东西来解释HAML客户端。这样就没有可能通过注入或其他安全漏洞来污染您的服务器，同时还可以通过Javascript提供对循环结构和逻辑的访问。

#1

#2