How to avoid security issue in with `#{str}`

Question

It is a convenient way to write code like this:

str = "John"
p "Welcome, #{str}"
# => "Welcome, John" 

In real Rails app, it is possible that str be intentionally written to terminate the current expression and start malicious code. How can I avoid using #{} in cases we do need to mix string with evaluated function values? e.g.: "Hello, #{foo(param)}".

Answer 1

"#{str}" is safe with this caveat: the format itself must not be user-supplied. On the other hand, the value (the evaluation of str) being interpolated in is not of (eval) consequence.

So, to make this code unsafe is actually fairly hard:

fmt = "doBadStuff()"
eval('"Welcome #{' + fmt + '}"')

Of course, the resulting string (from the initial question) must be used correctly (e.g. database placeholders or quoted correctly for HTML) to avoid standard injection vulnerabilities; but the imagined vulnerability does not exist.