:suppress_eval - I'm confused

So, I was thinking of using haml as the actual markup
language for the
wiki-like-thing I'm building in rails. The syntax is simple
and
beautiful, and encourages people to use css styling rather
than trying
to do it by hand - which is good.

But of course, I don't want people doing Bad Things in
evaled code. In
fact, I don't want them to do *anything*.

So, I had thought that

<in app/views/thing/show.haml>
#postbody= Haml::Engine.new(post.body, :suppress_eval
=> true)

would do the trick.

But lo, basic testing from script/console would seem to put
the lie to
that:

Haml::Engine.new('-  puts File.read
"/home/me/myApp/app/controllers/
thing_controller.rb"', :suppress_eval =>
true).render
=> "class ThingController <
ApplicationControllern...

This is bad.

How am I fundamentally misunderstanding the meaning of
"suppress
eval"? What *does* it do?

Apart from some tortuous gsubbing, is there no way to render
the thing
user-safe?


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the
Google Groups "Haml" group.
To post to this group, send email to hamlgooglegroups.com
To unsubscribe from this group, send email to
haml-unsubscribegooglegroups.com
For more options, visit this group at http://grou
ps.google.com/group/haml?hl=en
-~----------~----~----~----~------~----~------~--~---

Your script/console line shouldn't run the silent script. It
doesn't on 
my computer. What version of Haml are you using?

- Nathan

jbc wrote:
> So, I was thinking of using haml as the actual markup
language for the
> wiki-like-thing I'm building in rails. The syntax is
simple and
> beautiful, and encourages people to use css styling
rather than trying
> to do it by hand - which is good.
>
> But of course, I don't want people doing Bad Things in
evaled code. In
> fact, I don't want them to do *anything*.
>
> So, I had thought that
>
> <in app/views/thing/show.haml>
> #postbody= Haml::Engine.new(post.body, :suppress_eval
=> true)
>
> would do the trick.
>
> But lo, basic testing from script/console would seem to
put the lie to
> that:
>
> Haml::Engine.new('-  puts File.read
"/home/me/myApp/app/controllers/
> thing_controller.rb"', :suppress_eval =>
true).render
> => "class ThingController <
ApplicationControllern...
>
> This is bad.
>
> How am I fundamentally misunderstanding the meaning of
"suppress
> eval"? What *does* it do?
>
> Apart from some tortuous gsubbing, is there no way to
render the thing
> user-safe?
>
>
> >
>
>   


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the
Google Groups "Haml" group.
To post to this group, send email to hamlgooglegroups.com
To unsubscribe from this group, send email to
haml-unsubscribegooglegroups.com
For more options, visit this group at http://grou
ps.google.com/group/haml?hl=en
-~----------~----~----~----~------~----~------~--~---

% less vendor/plugins/stable/VERSION
1.7.1

There's definitely something very weird going on - I might
try
reinstalling the plugin.


>> Haml::Engine.new("-  puts 'hello'",
:suppress_eval => true).render
=> ""
>> Haml::Engine.new("-  puts 'hello'",
:suppress_eval => false).render
=> ""
(the File.Read line was from the same session)

>> Haml::Engine.new("=  puts 'hello'*3",
:suppress_eval => false).render
=> "hellohellohellonn"
>> Haml::Engine.new("=  puts 'hello'*3",
:suppress_eval => true).render
=> "hellohellohellonn"

And the haml tests ran with no errors.

If this is not expected behaviour, then at least I'm not
going
insane.

I'm something of a rails noob, btw, so I can easily be
missing
something terribly obvious.

(also, is it meant to sit under plugins/stable? Seems
odd...)

Thanks for the help!

On Sep 19, 1:40 am, Nathan Weizenbaum <nex...gmail.com> wrote:
> Your script/console line shouldn't run the silent
script. It doesn't on
> my computer. What version of Haml are you using?
>
> - Nathan
>
> jbc wrote:
> > So, I was thinking of using haml as the actual
markup language for the
> > wiki-like-thing I'm building in rails. The syntax
is simple and
> > beautiful, and encourages people to use css
styling rather than trying
> > to do it by hand - which is good.
>
> > But of course, I don't want people doing Bad
Things in evaled code. In
> > fact, I don't want them to do *anything*.
>
> > So, I had thought that
>
> > <in app/views/thing/show.haml>
> > #postbody= Haml::Engine.new(post.body, :suppress_eval
=> true)
>
> > would do the trick.
>
> > But lo, basic testing from script/console would
seem to put the lie to
> > that:
>
> > Haml::Engine.new('-  puts File.read
"/home/me/myApp/app/controllers/
> > thing_controller.rb"', :suppress_eval =>
true).render
> > => "class ThingController <
ApplicationControllern...
>
> > This is bad.
>
> > How am I fundamentally misunderstanding the
meaning of "suppress
> > eval"? What *does* it do?
>
> > Apart from some tortuous gsubbing, is there no way
to render the thing
> > user-safe?


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the
Google Groups "Haml" group.
To post to this group, send email to hamlgooglegroups.com
To unsubscribe from this group, send email to
haml-unsubscribegooglegroups.com
For more options, visit this group at http://grou
ps.google.com/group/haml?hl=en
-~----------~----~----~----~------~----~------~--~---

I think I see the issue. Haml caches templates so that it
can render the 
same template multiple times more efficiently. However,
changing the 
options /does not/ clear the cache; thus, if you've already
run a 
template with :suppress_eval not set, and then you run it
again with 
:suppress_eval set, it won't work. This is a bug; I'll work
on fixing it.

This does mean, though, that you're safe to use
:suppress_eval to take 
user input. The only way they'll be able to execute code is
if they 
insert a string identical to one of of your server-side
templates, and 
then it shouldn't be able to do any harm.

- Nathan

jbc wrote:
> % less vendor/plugins/stable/VERSION
> 1.7.1
>
> There's definitely something very weird going on - I
might try
> reinstalling the plugin.
>
>
>   
>>> Haml::Engine.new("-  puts 'hello'",
:suppress_eval => true).render
>>>       
> => ""
>   
>>> Haml::Engine.new("-  puts 'hello'",
:suppress_eval => false).render
>>>       
> => ""
> (the File.Read line was from the same session)
>
>   
>>> Haml::Engine.new("=  puts 'hello'*3",
:suppress_eval => false).render
>>>       
> => "hellohellohellonn"
>   
>>> Haml::Engine.new("=  puts 'hello'*3",
:suppress_eval => true).render
>>>       
> => "hellohellohellonn"
>
> And the haml tests ran with no errors.
>
> If this is not expected behaviour, then at least I'm
not going
> insane.
>
> I'm something of a rails noob, btw, so I can easily be
missing
> something terribly obvious.
>
> (also, is it meant to sit under plugins/stable? Seems
odd...)
>
> Thanks for the help!
>
> On Sep 19, 1:40 am, Nathan Weizenbaum <nex...gmail.com> wrote:
>   
>> Your script/console line shouldn't run the silent
script. It doesn't on
>> my computer. What version of Haml are you using?
>>
>> - Nathan
>>
>> jbc wrote:
>>     
>>> So, I was thinking of using haml as the actual
markup language for the
>>> wiki-like-thing I'm building in rails. The
syntax is simple and
>>> beautiful, and encourages people to use css
styling rather than trying
>>> to do it by hand - which is good.
>>>       
>>> But of course, I don't want people doing Bad
Things in evaled code. In
>>> fact, I don't want them to do *anything*.
>>>       
>>> So, I had thought that
>>>       
>>> <in app/views/thing/show.haml>
>>> #postbody= Haml::Engine.new(post.body, :suppress_eval => true)
>>>       
>>> would do the trick.
>>>       
>>> But lo, basic testing from script/console would
seem to put the lie to
>>> that:
>>>       
>>> Haml::Engine.new('-  puts File.read
"/home/me/myApp/app/controllers/
>>> thing_controller.rb"', :suppress_eval
=> true).render
>>> => "class ThingController <
ApplicationControllern...
>>>       
>>> This is bad.
>>>       
>>> How am I fundamentally misunderstanding the
meaning of "suppress
>>> eval"? What *does* it do?
>>>       
>>> Apart from some tortuous gsubbing, is there no
way to render the thing
>>> user-safe?
>>>       
>
>
> >
>
>   


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the
Google Groups "Haml" group.
To post to this group, send email to hamlgooglegroups.com
To unsubscribe from this group, send email to
haml-unsubscribegooglegroups.com
For more options, visit this group at http://grou
ps.google.com/group/haml?hl=en
-~----------~----~----~----~------~----~------~--~---

Awesome!

Thanks - it's really appreciated.

On Sep 19, 8:33 am, Nathan Weizenbaum <nex...gmail.com> wrote:
> I think I see the issue. Haml caches templates so that
it can render the
> same template multiple times more efficiently. However,
changing the
> options /does not/ clear the cache; thus, if you've
already run a
> template with :suppress_eval not set, and then you run
it again with
> :suppress_eval set, it won't work. This is a bug; I'll
work on fixing it.
>
> This does mean, though, that you're safe to use
:suppress_eval to take
> user input. The only way they'll be able to execute
code is if they
> insert a string identical to one of of your server-side
templates, and
> then it shouldn't be able to do any harm.
>
> - Nathan
>
> jbc wrote:
> > % less vendor/plugins/stable/VERSION
> > 1.7.1
>
> > There's definitely something very weird going on -
I might try
> > reinstalling the plugin.
>
> >>> Haml::Engine.new("-  puts
'hello'", :suppress_eval => true).render
>
> > => ""
>
> >>> Haml::Engine.new("-  puts
'hello'", :suppress_eval => false).render
>
> > => ""
> > (the File.Read line was from the same session)
>
> >>> Haml::Engine.new("=  puts
'hello'*3", :suppress_eval => false).render
>
> > => "hellohellohellonn"
>
> >>> Haml::Engine.new("=  puts
'hello'*3", :suppress_eval => true).render
>
> > => "hellohellohellonn"
>
> > And the haml tests ran with no errors.
>
> > If this is not expected behaviour, then at least
I'm not going
> > insane.
>
> > I'm something of a rails noob, btw, so I can
easily be missing
> > something terribly obvious.
>
> > (also, is it meant to sit under plugins/stable?
Seems odd...)
>
> > Thanks for the help!
>
> > On Sep 19, 1:40 am, Nathan Weizenbaum
<nex...gmail.com> wrote:
>
> >> Your script/console line shouldn't run the
silent script. It doesn't on
> >> my computer. What version of Haml are you
using?
>
> >> - Nathan
>
> >> jbc wrote:
>
> >>> So, I was thinking of using haml as the
actual markup language for the
> >>> wiki-like-thing I'm building in rails. The
syntax is simple and
> >>> beautiful, and encourages people to use
css styling rather than trying
> >>> to do it by hand - which is good.
>
> >>> But of course, I don't want people doing
Bad Things in evaled code. In
> >>> fact, I don't want them to do *anything*.
>
> >>> So, I had thought that
>
> >>> <in app/views/thing/show.haml>
> >>> #postbody= Haml::Engine.new(post.body, :suppress_eval => true)
>
> >>> would do the trick.
>
> >>> But lo, basic testing from script/console
would seem to put the lie to
> >>> that:
>
> >>> Haml::Engine.new('-  puts File.read
"/home/me/myApp/app/controllers/
> >>> thing_controller.rb"', :suppress_eval
=> true).render
> >>> => "class ThingController <
ApplicationControllern...
>
> >>> This is bad.
>
> >>> How am I fundamentally misunderstanding
the meaning of "suppress
> >>> eval"? What *does* it do?
>
> >>> Apart from some tortuous gsubbing, is
there no way to render the thing
> >>> user-safe?


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the
Google Groups "Haml" group.
To post to this group, send email to hamlgooglegroups.com
To unsubscribe from this group, send email to
haml-unsubscribegooglegroups.com
For more options, visit this group at http://grou
ps.google.com/group/haml?hl=en
-~----------~----~----~----~------~----~------~--~---

It does make sure that the :locals option hasn't changed,
but it doesn't 
think about any of the others.

- Nathan

Mislav Marohnić wrote:
> On 9/19/07, *Nathan Weizenbaum* <nex342gmail.com

> <mailto:nex342gmail.com>> wrote:
>
>
>     Haml caches templates so that it can render the
>     same template multiple times more efficiently.
However, changing the
>     options /does not/ clear the cache;
>
>
> You sure? I thought I've seen some code that
invalidates the cache if 
> the parameters have changed.
>
> >


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the
Google Groups "Haml" group.
To post to this group, send email to hamlgooglegroups.com
To unsubscribe from this group, send email to
haml-unsubscribegooglegroups.com
For more options, visit this group at http://grou
ps.google.com/group/haml?hl=en
-~----------~----~----~----~------~----~------~--~---

As of r606, Haml trunk caches templates based on options as
well as the 
template text.

- Nathan

jbc wrote:
> Awesome!
>
> Thanks - it's really appreciated.
>
> On Sep 19, 8:33 am, Nathan Weizenbaum <nex...gmail.com> wrote:
>   
>> I think I see the issue. Haml caches templates so
that it can render the
>> same template multiple times more efficiently.
However, changing the
>> options /does not/ clear the cache; thus, if you've
already run a
>> template with :suppress_eval not set, and then you
run it again with
>> :suppress_eval set, it won't work. This is a bug;
I'll work on fixing it.
>>
>> This does mean, though, that you're safe to use
:suppress_eval to take
>> user input. The only way they'll be able to execute
code is if they
>> insert a string identical to one of of your
server-side templates, and
>> then it shouldn't be able to do any harm.
>>
>> - Nathan
>>
>> jbc wrote:
>>     
>>> % less vendor/plugins/stable/VERSION
>>> 1.7.1
>>>       
>>> There's definitely something very weird going
on - I might try
>>> reinstalling the plugin.
>>>       
>>>>> Haml::Engine.new("-  puts
'hello'", :suppress_eval => true).render
>>>>>           
>>> => ""
>>>       
>>>>> Haml::Engine.new("-  puts
'hello'", :suppress_eval => false).render
>>>>>           
>>> => ""
>>> (the File.Read line was from the same session)
>>>       
>>>>> Haml::Engine.new("=  puts
'hello'*3", :suppress_eval => false).render
>>>>>           
>>> => "hellohellohellonn"
>>>       
>>>>> Haml::Engine.new("=  puts
'hello'*3", :suppress_eval => true).render
>>>>>           
>>> => "hellohellohellonn"
>>>       
>>> And the haml tests ran with no errors.
>>>       
>>> If this is not expected behaviour, then at
least I'm not going
>>> insane.
>>>       
>>> I'm something of a rails noob, btw, so I can
easily be missing
>>> something terribly obvious.
>>>       
>>> (also, is it meant to sit under plugins/stable?
Seems odd...)
>>>       
>>> Thanks for the help!
>>>       
>>> On Sep 19, 1:40 am, Nathan Weizenbaum
<nex...gmail.com> wrote:
>>>       
>>>> Your script/console line shouldn't run the
silent script. It doesn't on
>>>> my computer. What version of Haml are you
using?
>>>>         
>>>> - Nathan
>>>>         
>>>> jbc wrote:
>>>>         
>>>>> So, I was thinking of using haml as the
actual markup language for the
>>>>> wiki-like-thing I'm building in rails.
The syntax is simple and
>>>>> beautiful, and encourages people to use
css styling rather than trying
>>>>> to do it by hand - which is good.
>>>>>           
>>>>> But of course, I don't want people
doing Bad Things in evaled code. In
>>>>> fact, I don't want them to do
*anything*.
>>>>>           
>>>>> So, I had thought that
>>>>>           
>>>>> <in app/views/thing/show.haml>
>>>>> #postbody= Haml::Engine.new(post.body, :suppress_eval => true)
>>>>>           
>>>>> would do the trick.
>>>>>           
>>>>> But lo, basic testing from
script/console would seem to put the lie to
>>>>> that:
>>>>>           
>>>>> Haml::Engine.new('-  puts File.read
"/home/me/myApp/app/controllers/
>>>>> thing_controller.rb"',
:suppress_eval => true).render
>>>>> => "class ThingController <
ApplicationControllern...
>>>>>           
>>>>> This is bad.
>>>>>           
>>>>> How am I fundamentally misunderstanding
the meaning of "suppress
>>>>> eval"? What *does* it do?
>>>>>           
>>>>> Apart from some tortuous gsubbing, is
there no way to render the thing
>>>>> user-safe?
>>>>>           
>
>
> >
>
>   


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the
Google Groups "Haml" group.
To post to this group, send email to hamlgooglegroups.com
To unsubscribe from this group, send email to
haml-unsubscribegooglegroups.com
For more options, visit this group at http://grou
ps.google.com/group/haml?hl=en
-~----------~----~----~----~------~----~------~--~---