Liquid::Template security issue: not a problem

2008-01-21

Well, it seems I jumped the gun. In Security issue in Liquid::Template, I thought I had a found a problem with the Liquid template engine. Instead, I should have looked more closely at what I do:

app/controllers/pages_controller.rb


1 class PagesController < ApplicationController

2   def show

3     # …

4     render(:inline => @page.render, :layout => false)

5   end

6 end

The details can be found at #render on the Ruby on Rails API. Seems like it’s time for us to switch to using render :text.

I am sorry for any scare I caused. If I had run a separate test case, I’d have immediately seen I was in error, and not Liquid.

View Comments

Security issue in Liquid::Template

2008-01-19

In XLsuite, we use Liquid templates in the CMS. Two days ago, I noticed a big problem: ERB code in the Liquid template ends up being eval’d. This is in direct contradiction with Liquid’s mission statement:

Ruby library for rendering safe templates which cannot affect the security of the server they are rendered on.

From Liquid Home Page

I’m reposting this here so this gets the attention it deserves.

If you are interested, you can view Liquid’s issue at: http://code.google.com/p/liquid-markup/issues/detail?id=6

View Comments

Search

Your Host

A picture of me

I am François Beausoleil, a Ruby on Rails and Scala developer. During the day, I work on Seevibes, a platform to measure social interactions related to TV shows. At night, I am interested many things. Read my biography.

Top Tags

Books I read and recommend

Links

Projects I work on

Projects I worked on