I have a model which has a template field. This template is HTML and

Question

0

Asked: May 22, 20262026-05-22T20:01:53+00:00 2026-05-22T20:01:53+00:00

I have a model which has a template field. This template is HTML and

0

I have a model which has a template field. This template is HTML and has variables which get substituted. This template is then converted into a PDF using wicked_pdf.

How should I take the template which the user enters and safely do variable substitution? Allowing it to be an ERB template seems to be setting myself up for some huge security holes. What safe solutions are there?

Edit:

So, for example, I have my template class/model which has two fields, a name and an HTML field. This is a user editable class. There will be specific variables available to the HTML in the template class (Company Name, price, etc.). I am hoping to use a HTML templating system, but since this is user created content, it isn’t trusted. Only variable substitution will be done, nothing more.

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-22T20:01:54+00:00

Editorial Team

2026-05-22T20:01:54+00:00Added an answer on May 22, 2026 at 8:01 pm

Rails provides a couple of helper functions, namely hto escape values on display for preventing such behavior.
<%= h @user.name %>

h is an alias of html_escape

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I have a model which has a template field. This template is HTML and

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply