Rails render behavior, passing and evaling a variable, is it safe?

84 views Asked by At

I have a view with a lot of equal items that only change the item name, to keep DRY I've refactored this into a partial. My question is, if I send the type_oil, a string variable to the partial, then eval it eval("#{type_oil}_path") will it be exposed in any way to the public? Could this be a security issue?

views/controller_name/oils.html.haml

#oils-content
  -# oils_list is a list of strings
  - oils_list.each do |oil|
    = render "controller_name/oils_item" , type_oil: oil

views/controller_name/_oils_item.html.haml

.item
  %h2= t("oils.#{type_oil}.front_header")
  %p= t("oils.#{type_oil}.front_body")
  = link_to t("oils.#{type_oil}.link"),  eval("#{type_oil}_path")
1

There are 1 answers

0
trosborn On BEST ANSWER

It will not in any way be exposed to the public. I think your confusion comes from you thinking that the Ruby in your view is a front-end language like your HTML (or in this case, HAML). It is not. All the Ruby in your views is just there to dynamically create content for the HTTP response, and is therefore executed prior to the response being sent from your server.