Urabe Shyouhei
4/23/2009 11:41:00 AM
Andrew S. Townley wrote:
> Which, of course, works. However, I'm a bit leery of doing this from a
> safety perspective, because I really don't have any control over these
> strings, and I'd prefer not to allow the execution of arbitrary Ruby
> code every time I'm trying to restore strings (I need them serialized as
> appropriately escaped quoted literals).
IMHO it is a bad idea to use String#dump when you cannot control those strings.
My recommendation is to use Marshal.dump, which also generates a string.
Adding quotes to those marshal-generated strings should be easier than safely
evaluate dumped string.