I am looking to create an application effectively like a very simple blog – with another article being added every few days. In order to control the appearance of the articles, I would like to write them directly using html so picures, links etc can be put in appropriate places and formatted as required. However, storing these articles in a database would seem to make the maintenance a lot easier and provide additional searching capabilities. Is it sensible to store such html / erb code in a database in this way? If not what are the alternatives?
Share
The standard way to do this is to use a markup library, such as redcloth, to do this. You use something similar even here on SO – it looks like markdown, if you read the help link. The content can certainly be put in a database. It can be done with html and erb, but the reason it is not often done is safety.
If you are the only one using it, it may not be an issue, but if you allow anyone else to insert data, you can open yourself up to XSS attacks with html, or even code exploits if you allowed raw erb. Markup languages exist to limit the set of markup allowed and to remove the ability for scripting attacks.
see also: Better ruby markdown interpreter?
Update: What great timing, there was a railscast released today about this: http://railscasts.com/episodes/272-markdown-with-redcarpet