ryanwjackson
commented
8 years ago Has there been any progress on this? Would be awesome to know how to handle user-provided templates.
Open kurttomlinson opened 8 years ago
ryanwjackson
commented
8 years ago Has there been any progress on this? Would be awesome to know how to handle user-provided templates.
Please add more detail to the security section of the Readme. It'd be useful to have some example code showing how to safely use user-provided templates. I'd also like to know what the vulnerabilities are, generally.
My current plan to avoid security issues in using user-provided templates is to serialize and then deserialize any objects that I pass to template.call(). Would that be enough to remove filesystem and database access in a Rails environment?
Finally, I'll use a whitelist to limit the fields that I allow to be reserialized before passing the object to template.call() so the users can't read any variables that I don't want to make public.
Thanks!