What is the difference between <%== %> and <%= %> in rails? [duplicate] - ruby-on-rails

I saw this recently, thought it was interesting. But I don't really understand what it does?
Ex. I have a rails app and I want to bootstrap some json, so that I don't have to make a second request. Normally I would write something like this.
<%= raw #model.to_json %>
or
<%= #model.to_json.html_safe %>
I have to send the message raw or html_safe or the json will be html escaped and thus not parsed correctly. However, this seems to work too.
<%== #model.to_json %>
But I can't find any documentation.
Does anyone know what this does exactly? i.e. Is it the exact same as calling html_safe or raw? Or is there more to it?

<%== is equivalent to raw.
From the Ruby on Rails Guide:
To insert something verbatim use the raw helper rather than calling
html_safe:
<%= raw #cms.current_template %> <%# inserts #cms.current_template as is %>
or, equivalently, use <%==:
<%== #cms.current_template %> <%# inserts #cms.current_template as is %>

Rails actually uses Erubis instead of ERB, which supports a variety of other stuff.
<%== is exactly as you expect, though: It emits the value unescaped

Related

Why does commented-out ERB still throw errors?

I have an HTML file in this format:
html
more html
<%= valid erb %>
<!--
<%= incomplete_erb_with_bugs %>
-->
But I still get an exception page, because of the buggy ERB. But shouldn't commenting that section out cause that part not to be read by the browser? Is there another HTML method for actually preventing the browser from reading code?
Because its not commented.
But shouldn't commenting that section out cause that part not to be
read by the browser?
The browser does not execute Ruby or ERB - the server does before it sends the resulting HTML document to the browser.
ERB is ruby code imbedded in a file that contains literal text. The interpreter does not care about anything except the code in "erb tags".
This is just literal text
<%# this is a ruby line comment - the code below is executed: %>
<% bar do %>
<%= foo %>
<% end %>
The rest is just placed in the buffer. This is just like PHP or any other embedded language.
So a HTML comment (or CSS or JS for that matter) does not effect the ERB interpreter in any way. The interpreter does not really know or care that its creating HTML.
Is there another HTML method for actually preventing the browser from reading code?
The browser does not execute Ruby code. It just builds a document from whatever you send in the response.
So use a ruby comment <%#= incomplete_erb_with_bugs %> which will prevent the code from being executed - and it will never get sent to the browser.
you're commenting out html, but the ruby code inside it still gets evaluated. you need to comment out the code, which is done like this:
<%#= incomplete_erb_with_bugs %>
you need to comment the actual line, not the html surrounding it
html
more html
<%= valid erb %>
<%= incomplete_erb_with_bugs %>
you can also use if statements
<% if false %>
<%#= incomplete_erb_with_bugs %>
<% end %>

Ruby on rails raw tag inside a link_to

I have been having some problems with variables inside link_to tags, which only get to work when wrapped in a raw.
What does raw actually mean? Is it a good practice to use it to wrap strings and variables inside a tag?
From the official Rails raw documentation:
This method outputs without escaping a string. Since escaping tags is now default, this can be used when you don't want Rails to automatically escape tags. This is not recommended if the data is coming from the user's input.
It's not a good practice to use raw because it bypasses the default Rails input sanitization. Use it only if you know what you are doing.
If you need to use raw HTML inside the link to, you can also pass it as a block.
<%= link_to root_url do %>
<span>My link</span>
<% end %>
Another alternative is to use the Rails helpers which sanitizes the input.
<%= link_to content_tag(:span, "Unsafe input"), root_url %>
raw outputs without escaping the string
raw docs
Why you had problems, link_to helper accepts block as argument, you can insert any content inside link_to helper
For example:
<%= link_to 'link' do %>
<p> First paragraph </p>
<%= 'ruby string' %>
<% end %>
Will produce
<a href='/link'>
<p> First paragraph </p>
ruby string
</a>

What does <%== %> do in rails erb?

I saw this recently, thought it was interesting. But I don't really understand what it does?
Ex. I have a rails app and I want to bootstrap some json, so that I don't have to make a second request. Normally I would write something like this.
<%= raw #model.to_json %>
or
<%= #model.to_json.html_safe %>
I have to send the message raw or html_safe or the json will be html escaped and thus not parsed correctly. However, this seems to work too.
<%== #model.to_json %>
But I can't find any documentation.
Does anyone know what this does exactly? i.e. Is it the exact same as calling html_safe or raw? Or is there more to it?
<%== is equivalent to raw.
From the Ruby on Rails Guide:
To insert something verbatim use the raw helper rather than calling
html_safe:
<%= raw #cms.current_template %> <%# inserts #cms.current_template as is %>
or, equivalently, use <%==:
<%== #cms.current_template %> <%# inserts #cms.current_template as is %>
Rails actually uses Erubis instead of ERB, which supports a variety of other stuff.
<%== is exactly as you expect, though: It emits the value unescaped

RHTML displaying HTML tags on output

I have an RHTML view in Rails, where the output is coming from my MongoDB collection. The data is outputted correctly using an iteration block, but whenever I try and have HTML tags in my database, they are not rendered in the HTML output, instead they are just displayed.
<%
#posts.find().each do |post|
%>
<h1><%=post["name"]%></h1>
<p><%=post["body"] %></p>
<p><%=post["timestamp"]%></p>
<%
end
%>
But, for instance, if I had
<p>Test</p>
In my database, the tags would be rendered, instead of being printed.
This is a security precaution that is now built into Rails 3. It prevents XSS (cross-site scripting) issues.
If you add raw you'll get the output you want.
<% #posts.each do |post| %>
<h1><%=raw post["name"]%></h1>
<p><%=raw post["body"] %></p>
<p><%=raw post["timestamp"]%></p>
<% end %>
However, if you are storing user-created arbitrary HTML, I don't recommend you do this unless you are sanitizing the input prior to storing it in the database.
Edit:
Another option: Using the sanitize helper in place of raw, e.g. <%=sanitize post["name"], :tags => "p" %> to allow <p> tags.
Apart from raw and .html_safe, which give 100% trust to the user's input, you could also use sanitize to restrict only a number of tags that allowed.
<%= sanitize post["name"] $>
For the details, see: http://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html

on Rails, is there any way to output content besides the <%= %> tag?

it seems that on Rails or erb, the only way to output anything is by <%= %>
<% puts "hello" %> won't work, unlike PHP.
is there any other method at all?
concat will do:
<% concat ("wah ha ha!") %>
Reference:
http://api.rubyonrails.org/classes/ActionView/Helpers/TextHelper.html#M001710
from the source code,
<% output_buffer << "hmm" %>
will work too and it is tested... but i think this is even lower level and should be avoided.
The conventional response object does exist under the covers, and you can call response.write(str). But a large part of the beauty of RoR is that this nuts and bolts stuff is abstracted away for you, and you don't have to do it.

Resources