Engine: Allow to disable/ignore `Herb::Engine::SecurityError`

[bonkrat]

herb analyze is failing on compilation errors with the following error:

Herb::Engine::SecurityError: ERB output tags (<%= %>) are not allowed in attribute position. - Suggestion: Use control flow (<% %>) with static attributes instead.

Unfortunately our project uses helpers extensively that trigger this security error. Are there any suggestions here on disabling this security error or a workaround?

[marcoroth]

Hey @bonkrat, thanks for reporting!

I think we want to keep these Herb::Engine::SecurityError on by default, but I think it's fair to also allow people to opt out, so that it will ease the adoption and improve backwards compatibility.

I'm imagining that you could put something like this in the .herb.yml file:

engine:
  security: "error"  # or "warn" or "ignore"

[jcoyne]

I suspect things like this are fairly commonplace idioms:

<div class="dark"<%= ' hidden' if index != 0 %>> ...</div>

Should this really be a security error?