So I've been going through the very poor documentation that exists for ActionView, particularly a method called select_tag that just exists when called from view files. Supposedly, it's called like this:
select_tag name, option_tags, options
The documentation says nothing at all about the name, very little about the options, and describes the option_tags only through examples that treat it as an opaque value that must be obtained from other functions.
As always, the only way to learn anything about Rails is to reverse-engineer it.
So I tried running it directly from a Rails console, which is tricky because Ruby doesn't let you call methods that are defined in modules unless you create a class and an object first:
class H
include ActionView::Helpers::FormOptionsHelper
include ActionView::Helpers::FormTagHelper
end
H.new.options_for_select ["foo","bar"]
The above usage of options_for_select comes from actual code that somebody else wrote. The return value is a string:
"<option value=\"foo\">foo</option>\n<option value=\"bar\">bar</option>"
So apparently, you're supposed to pass the return value from option_for_select (or one of the many other related functions that introduce complications I don't want to talk about such as generating HTML tags from ActiveRecord objects) as the option_tag parameter of select_tag. Except if you copy that string to your clipboard and paste it directly into a function call, it doesn't do what you'd expect:
H.new.select_tag :my_name, "<option value=\"foo\">foo</option>\n<option value=\"bar\">bar</option>"
Return value:
"<select name=\"my_name\" id=\"my_name\"><option value="foo">foo</option>\n<option value="bar">bar</option></select>"
At least this reveals what the name parameter is for.
Even weirder, the text is not escaped if you pass the return value directly to select_tag without letting it print on the console:
H.new.select_tag :name, H.new.options_for_select(["foo","bar"])
Return value:
"<select name=\"name\" id=\"name\"><option value=\"foo\">foo</option>\n<option value=\"bar\">bar</option></select>"
WTF is going on here?
In the course of writing this question, I stumbled on its answer: Ruby has been lying to me (like it always does).
When you evaluate:
H.new.options_for_select ["foo","bar"]
Ruby tells you that the result was a String. But that's only because Pry and Irb both silently call .to_s on everything, and the thing that gets returned from options_for_select has a to_s. The truth:
(H.new.options_for_select ["foo","bar"]).class
=> ActiveSupport::SafeBuffer
ActiveSupport::SafeBuffer.new("<foo>")
=> "<foo>"
So whoever wrote these methods assumed that you want to incorporate raw, user-provided strings into your <select> tags, and those strings could contain attempts at HTML/JavaScript injection, so they must be escaped.
ActiveView treats all strings as suspect, but it is possible to mark certain strings as "safe" by wrapping them in an ActiveSupport::SafeBuffer.
Related
Here the a suggested pattern for using Intl.message I have seen everywhere:
final String learnMoreLabel = _learnMoreLabel; String get
_learnMoreLabel => Intl.message('Learn more',
name: 'HelpContentBase__learnMoreLabel',
desc: 'The label for a link or button which takes the user to the '
'Google Help Center to read more information on a topic.');
Why can't I just write:
final String learnMoreLabel = Intl.message('Learn more',
name: 'HelpContentBase__learnMoreLabel',
desc: 'The label for a link or button which takes the user to the '
'Google Help Center to read more information on a topic.');
Why does it need to be wrapped in the getter? I found this in the docs:
Use this for a message that will be translated for different locales.
The expected usage is that this is inside an enclosing function that
only returns the value of this call and provides a scope for the
variables that will be substituted in the message.
but it doesn't say why.
The short answer is that for that example it probably could be written that way, but it breaks down when there are parameters to the message.
What happens with Intl messages is that the a preprocessor runs over the program and finds all the occurrences of Intl.message and writes them to a file. That file gets sent for translation, and then the translations are run through another program and generate Dart code for each language, which is reachable via the messages_all.dart import.
When you call Intl.message at runtime it looks up the current locale (using the name as a key) and delegates to the appropriate translation, passing along any parameters (via the "args" argument).
When the comment says "provides a scope" it really means that the only things that are allowed to be used in the message are the variables that are provided as arguments to the enclosing function. When there aren't any arguments we could allow the enclosing function to be omitted. It would mean making the parser smart enough to recognize that pattern as well.
As an aside: I don't love the pattern of calling the method once and assigning to a final variable. It sets up a potential race condition between locale initialization and variable initialization and it means the locale can't change at runtime. However, I understand when we have frameworks like Angular that are calling it and comparing the result on every frame that it gets expensive to actually call the function every time.
Another aside: When there are no parameters you can omit the name. It will use the text as a name. When there are parameters the text is an interpolation so it can't use that as the name.
Consider this:
<%
str = "http://domain.com/?foo=1&bar=2"
%>
Now these cases:
<%=str%>
# output:http://domain.com/?foo=1&bar=2
<%=str.html_safe%>
# output:http://domain.com/?foo=1&bar=2
<%="#{str.html_safe}"%>
# output:http://domain.com/?foo=1&bar=2
<%=""+str.html_safe%>
# output:http://domain.com/?foo=1&bar=2
I need to output the URL with other strings. How can I guarantee that the ampersand will be unescaped? For reasons beyond my control I can't send &.
Please help! Pulling my hair here :\
EDIT: To clarify, I actually have an array like so:
#images = [{:id=>"fooid",:url=>"http://domain.com/?foo=1&bar=2"},...]
I am creating a JS array (the image_array var) to use in my app this way:
image_array.push(<%=#images.map{|x|"{id:'#{x[:id]}',url:'#{x[:url].html_safe}'}"}.join(",")%>);
This generates:
image_array.push({id:'fooid',url:'http://domain.com/?foo=1&bar=2'},...);
Which does not work in my specific case. I need the url without the amp; part.
When you write:
"#{foo.bar}"
this is ~equivalent to writing
foo.bar.to_s
So what you are actually doing is:
<%=str.html_safe.to_s%>
…which Rails no longer sees as being safe, and so it hits your resulting string with a round of HTML escaping.
I don't know the internals of Rails, but I assume that the html_safe method extends the string object with an instance variable flagging it as OK, but when you wrap that in another string via interpolation you are getting a new string without that flag.
Edit: To answer your needs, use raw or call html_safe on your final string:
<%=raw "foo#{str}"%>
<%="foo#{str}".html_safe%>
or in your case:
image_array.push(<%=raw #images.map{…}.join(',')%>);
image_array.push(<%=#images.map{…}.join(',').html_safe%>);
See also this question.
Use this
<%=str.html_safe.to_s%>
or
<%=raw(str)%>
give you better results
image_array.push(<%= #images.map{|x| "{id:'#{x[:id]}',url:'#{x[:url]}'}".html_safe }.join(",") %>);
what you would do to be safe is:
image_array.push(<%= #images.map { |image| image.as_json(only: [:id, :url]) }.to_json } %>)
this will escape the <, >, etc. properly like this:
[{"name":"\u003ch1\u003eAAAA\u003c/h1\u003e"}]
and for people coming here like me who want to concatenate strings, it's just not safe to do it, the best way is to concatenate tags, e.g.
content_tag(:p) do
content_tag(:span, "<script>alert(1)</script>") +
link_to("show", user)
end
will work fine and properly escape the first string
The "_path" route helper returns string not marked as html_safe.
I don't know for sure - maybe it's indeed not html safe, but when I pass something like "foo>bar" to _path helper it generates string like:
/aa/foo%3Ebar/bb
Which looks safe.
However, html_safe? for that string is false and if I pass it to template, expectedly I've got:
/aa/foo%3Ebar/bb
Which looks not so nice.
I can call .html_safe on helper output, but maybe there are some cases when _path helpers emit unsafe characters?
Anyway, I don't like the idea to call html_safe on every helper output, and hope that framework take care of that stuff.
Any thought?
This is quit usefull becaus the client may pass variables to the url and if the path would be marked as html_safe for deafult he could simply write some javascript/html/... to the url and it would be executed. That is called a Cross Site Scripting and one of the most "popular" security holes. Of cause its "only" a client side attack but it might get dangerous for your users so its better to not change this by default!
In one of my templates I want to take a closer look at the controller object using the debug() helper.
It is said to produce YAML suitable for HTML output.
Running <%= debug(controller) %> does, however, not produce anything I call readable.
It begins with:
#<ClubsController:0x104467378 #_request=#<ActionController::Request:0x104467648 #accepts=[#<Mime::Type:0x101f50f30 #synonyms=["application/xhtml+xml"],
and goes on like that...
Any ideas on how to get some info about the object?
The debug helper is primarily intended to be used with objects that provide an implementation of to_yaml (such as ActiveRecord models). If the object passed doesn't respond to to_yaml (as is the case with passing a controller object in your example) then debug gives you the result from calling inspect on that object.
I saw your comment #thenduks answer.
Actually there is a method:
controller.controller_name
that returns the name of the controller.
What's not readable about that? It's the standard ruby inspection syntax... If you really need something 'more readable' then you'll have to write a method on your controller (temporarily, most likely) that simply exposes it's instance variables in another format.
Perhaps it would help if you noted what you want to see in the controller instance.
What is this?
"#{h params[:chat_input]}"
I am referring to the hash # and the h.
Most likely this is inside a double-quoted string, such as "Ponies all love #{h params[:chat_input]}!" The #{stuff} expression causes the stuff expression to be interpreted and inserted into the string. For example "1 + 2 = #{1 + 2}" will result in the string "1 + 2 = 3".
The h is an alias to the html_escape method, which is pretty self-explanatory.
The code you paste, by itself, is just a comment. I assume the code is inside a string, though.
"hello, #{5 + 5}"
# => hello, 10
The statement inside the brackets will be evaluated as Ruby. This is called string interpolation.
The statement inside the interpolation in your code is a method that gets an argument.
h params[:chat_input]
h(params[:chat_input])
The h method is a shortcut for html_escape, which escapes HTML. For example, <span> is converted into <span>, so that the browser displays the actual contents of the string, instead of interpreting it as HTML.
html_escape(params[:chat_input])
You probably know what params is.
To sum up, you get a HTML escaped version of whatever params[:chat_input] contains.
"#{h params[:chat_input]}"
In ruby, double-quoted strings allow for expressions to be evaluated and automatically converted to strings.
I can do this:
years = 25
"John is " + years + " years old"
but I'll get an error because I can't add the number to a string.
I can do
"John is #{years} years old"
to get around that.
The h() method is a Rails helper function that removes HTML tags. It's a safety thing.
Finally, params() is a method in Rails that gives you access to GET and POST parameters. It's actually wrapping a hash GET and POST parameters are symbolized to reduce memory (symbols are only defined once, whereas a string like "foo" is a new object every time.)
So, params[:chat_input] retrieves the value from the previous request's GET or POST parameters, and in your case it looks like it's just displaying and sanitizing them.
Hope that helps!
It's just interpolating a value inside a string. The :chat_input is a symbol, it's used in place of a string because symbols are only created once.
h(something)
or
h something
since ruby does not force the use of (), is a function available in rails that converts the parameter to a "safe HTML" string avoiding interpreting the possible HTML code inside of the 'something' variable.
"#{x}"
in ruby means converting the x variable to a string and placing it in the new string for example:
"#{host}:#{port}"
will place the value of host and the value of port into the new string formed by the "", in a way that if host is "localhost" and port is 30 the result string will be "localhost:30"
params is a special rails hash that contains the post/get parameters passed to the controller method being executed
another detail is that in ruby a method always returns the last evaluated expression
so the method
def test
"#{h params[:chat_input]}"
end
will return a string that has the HTML-safe value of the post/get parameter chat_input
holy crap, is that from chat_sandbox by any chance?
if so, let me know if you need any help $)
I'm hoping to update that code here soon.