brandondrew
commented
2 years ago If it does not currently offer these two different tiers of usage, perhaps it might be worth considering? 🤷🏼♂️
Closed brandondrew closed 2 months ago
brandondrew
commented
2 years ago If it does not currently offer these two different tiers of usage, perhaps it might be worth considering? 🤷🏼♂️
jaredcwhite
commented
2 years ago @brandondrew Serbea is indeed like ERB in that it allows arbitrary Ruby code execution. Which is fine for a typical codebase use case, but not when you need to provide a template language to untrusted users. Liquid's still the way to go for that.
It's unclear to me whether Serbea is a replacement for ERB or Liquid. It seems to be billed as both, but—unless I'm very mistaken—both fill very different needs, with ERB allowing any Ruby to be inserted, and Liquid very purposefully limiting what you can do, so that it's safe to (e.g.) allow your users to create their own Liquid templates that you use to display pages, which are not capable of running arbitrary Ruby, and therefore can be counted on to not be a security risk.
Does Serbea have some way of offering end users a limited subset of capabilities—to fill the Liquid use case—and giving much more control to developers—to fill the ERB use case?