README.markdown in safemode-1.3.8 vs README.markdown in safemode-1.4.0

- old
+ new

@@ -21,28 +21,32 @@ For manual evaluation of Ruby code and ERB templates see demo.rb You can use the ActionView template handlers by registering them, e.g., in a config/initializer file like this: - # in config/intializer/safemode_tempate_handlers.rb - ActionView::Template.register_template_handler :serb, ActionView::TemplateHandlers::SafeErb - ActionView::Template.register_template_handler :haml, ActionView::TemplateHandlers::SafeHaml +```ruby +# in config/intializer/safemode_tempate_handlers.rb +ActionView::Template.register_template_handler :serb, ActionView::TemplateHandlers::SafeErb +ActionView::Template.register_template_handler :haml, ActionView::TemplateHandlers::SafeHaml +``` If you register the ERB template handler for the file extension :erb be aware that this most probably will break when your application tries to render an error message in development mode (because Rails will try to use the handler to render the error message itself). You will then have to "whitelist" all method calls to the objects that are registered as template variables by explicitely allowing access to them. You can do that by defining a Safemode::Jail class for your classes, like so: - class User - class Jail < Safemode::Jail - allow :name - end - end +```ruby +class User + class Jail < Safemode::Jail + allow :name + end +end +``` This will allow your template users to access the name method on your User objects. Class methods can be whitelisted by calling `allow_class_method :foo` from @@ -60,15 +64,9 @@ Requires the gems: * RubyParser * Ruby2Ruby - -As of writing RubyParser alters StringIO and thus breaks usage with Rails. -See http://www.zenspider.com/pipermail/parsetree/2008-April/000026.html - -A patch is included that fixes this issue and can be applied to RubyParser. -See lib/ruby\_parser\_string\_io\_patch.diff ### Credits * Sven Fuchs - Initial Maintainer * Peter Cooper