Is ActiveSupport :: CoreExtensions :: String :: Inflections.constantize safe to use with user provided data?

Question

Is ActiveSupport :: CoreExtensions :: String :: Inflections.constantize safe to use with user provided data?

Background

I am currently working on a Rails application. I have different products that can be processed through different suppliers. To process orders, all suppliers require a text file in a specific format.

I decided to use the Factory class to generate instances of Formatter classes that will display order information in the appropriate format.

In the Factory class, I considered using the following code:

class ExportFactory
  def self.exporter_class_for_vendor(vendor_name)
    class_name = "ProductExporter#{vendor_name}".gsub(' ','').camelize
    class_name.constantize
  end
end

Question

Can I use ActiveSupport :: CoreExtensions :: String :: Inflections.constantize for the data submitted by the user? Or if I just recode the class names.

. , , -, .

+3

ruby-on-rails

Matt Haley 26 . '09 23:39

1

cwninja · Accepted Answer · 2009-10-27T00:15:22+0000

, , .

, , #delete , File .

, , #constants. , ruby, , , .

, , .

module AvailableClasses
  Foo = ::Foo
  Bar = ::Bar
end

validates_inclusion_of :user_input, :in => AvailableClasses.constants

AvailableClasses.const_get(user_input)

"AvailableClasses::#{user_input}".constantize

Is ActiveSupport :: CoreExtensions :: String :: Inflections.constantize safe to use with user provided data?

Background

Question

More articles: