How to allow users to submit custom email templates in Rails?

Question

Working on a Rails app that connects with eCommerce sites, occasionally sending emails from our app to customers of the eCommerce sites we work with.

Right now we have a generic email template saved in the app as a html.erb file, but we're trying to add functionality to allow these eCommerce sites (our users) to submit their own custom email templates to use for their respective customers.

My first instinct was to allow users to submit their template in a textarea form and save it in our MySQL database in a templates table. However, I'm concerned about a few things:

1. The template requires access to instance variables, meaning we'd need ERB, HAML, or some other format that is compatible with Rails instance variables in a view.
2. How would this process even work properly? I'd be taking in a textarea filled with HTML tags, content, and CSS style tags - it would then need to be converted into a giant string to save in a table. How does one convert raw HTML into a string and then back into HTML to action render the view and sent the mailer?
3. Is there a gem, or other practice to prevent all unwanted erb or Ruby code from being submitted into a user's custom template? My big worry here is a user submitting a template with <% User.destroy_all %> or some other damaging Ruby code inside.
4. Is there any easier way to implement this process than what I'm thinking? The database route is what I first thought of, but now I'm thinking it might be better to simply have our users submit their own custom templates directly to us and save them directly in the app. But this would, of course, require a user to resubmit their template any time they might want to make a change to it.

Our app uses Rails 4.1.7 And Ruby 2.1.4p265.

Answer 1

As per your needs I would go with a simple solution

• Allow the users to save a basic HTML or markdown template in the database, and let them know how to build it by telling them what variables they have to use or can use.
• Create a parser class that parses the html input and builds an valid .erb file out of it.

I'll leave the implementation up to you, but here is the example input:

<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <title>[[title]]</title>
</head>
<body>
  Hello [[username]], thank you for subscribing.

  You can get started by visiting this <a href="[[link]]">link</a>.
</body>
</html>

the parser converts [[username]] to <%= @username %>, and the result will be something like this:

<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <title><%= @title %></title>
</head>
<body>
  Hello <%= @username %>, thank you for subscribing.

  You can get started by visiting this <a href="<%= @link %>">link</a>.
</body>
</html>

To answer your concerns:

1.This is already answered above.
2.That's very easy, use .html_safe or the raw() helper function.
3.This should not be a concern because you will not run any code that's submitted by the user, since you will only allow user to give set variables that you know of. You just do a regex match not a eval().
4.This is the easiest solution I could think of.

Answer 2

One way you might approach this is to allow users to save an mjml template to the database.

Theres a mjml-rails gem that might help out.

there is a mjml-include tag that will allow you to include thigns before they are rendered. I'd imagine you can give your users a list of allowable includes, which link to the proper partial.