I have a view with a lot of equal items that only change the item name, to keep DRY I've refactored this into a partial. My question is, if I send the type_oil, a string variable to the partial, then eval it eval("#{type_oil}_path") will it be exposed in any way to the public? Could this be a security issue?
views/controller_name/oils.html.haml
#oils-content
-# oils_list is a list of strings
- oils_list.each do |oil|
= render "controller_name/oils_item" , type_oil: oil
views/controller_name/_oils_item.html.haml
.item
%h2= t("oils.#{type_oil}.front_header")
%p= t("oils.#{type_oil}.front_body")
= link_to t("oils.#{type_oil}.link"), eval("#{type_oil}_path")
It will not in any way be exposed to the public. I think your confusion comes from you thinking that the Ruby in your view is a front-end language like your HTML (or in this case, HAML). It is not. All the Ruby in your views is just there to dynamically create content for the HTTP response, and is therefore executed prior to the response being sent from your server.