Forum OpenACS Q&A: Response to Translation of vars within string

Collapse
Posted by Michael A. Cleverly on
And I want to avoid David's solution <%=$first_names%> because I want "mere users" to be able to enter a few variables in a text string that gets stored in the db and later select and substitute with the current value of, for instance $name. in the string to render on the page.... (clear?)
If that's the case, make sure you read the man page for subst, specifically the -nocommands switch. Otherwise some malicious user could save as their string: "Goodbye $first_names $last_name. [exec rm -r -f /]. Have a nice day. [ns_shutdown]", which probably wouldn't be something you'd want.

And, just for kicks, say you only wanted certain variables to be substituted. (So that $first_name doesn't blow up.) You could use Tcl 8's very handy string map:

set html [string map [list $first_names $first_names $last_name $last_names $foo $foo] $user_string_from_database]
(I hope the backslashes above make it or the code will look positively stupid. 😊