Sanitize in rails - ruby-on-rails

I was to sanitize all the ruby variable I am using in my view. I know of sanitize method in rails. Is there any way to avoid writing sanitize before all the variable. In other words if I have 10 ruby variables in a view, I have to write sanitize in front of all to achieve sanitisation. Is there a way such that I just have to call the method once and all the variables get sanitized .

Related

How does ruby on rails dynamically define `find_by_id`, `find_by_name` methods?

I am interested in understanding how find_by_(column_name) works.
How does Ruby on Rails dynamically define the method on calling find_by_id, find_by_name, etc?
This is the power of meta programmation in Ruby, and more specifically the method_missing method: https://ruby-doc.org/core-2.1.0/BasicObject.html#method-i-method_missing
When you call a method on an instance of a Class that is not defined in that class, the method_missing catches it and you can handle it there.

Writing Rails Templates in Pure Ruby

I have a large number of views in my Rails application that both:
Have a consistent and repeated structure, and
Involve the use of helpers that accept large hash inputs.
As such, I would like to write these views directly in Ruby (using a DSL/helpers that I would write).
How can I get Rails to allow me to write .html.rb views?
Thanks!
Add an initializer with:
ActionView::Template.register_template_handler(:rb, :source.to_proc)
Then you can write .html.rb views in ruby, they should return a String of the desired context when executed.

Calling ERB without Rails: undefined method 'raw'

I am using the ERB engine to generate an offline HTML version of a page of my Rails website. The page shows great when shown by Rails, but I have trouble generating with ERB by myself (despite using the same ERB template).
First I was getting the error undefined method 't' and I solved it by replacing all <%=t(...)%> calls with <%=I18n.translate(...)%>.
Now I get undefined method 'raw'. Should I replace all <%=raw(...)%> calls with something else? If yes, what?
raw is defined as helper in actionpack/action_view library so that without rails you can't use it. But ERB templating shows its output without any escaping:
require 'erb'
#person_name = "<script>name</script>"
ERB.new("<%= #person_name %>").result # => "<script>name</script>"
And because of this for purpose of escaping there is ERB::Util#html_escape method
include ERB::Util
ERB.new("<%= h #person_name %>").result # => "<script>name</script>"
While #warhog 's answer will work, the include isn't necessary. It adds all the ERB::Util methods to the current class, which usually isn't desired and can cause unexpected side effects (if you had another h method for example). Instead just access the h method (or other helpers) using the ERB::Util class:
ERB.new("<%= ERB::Util.h #person_name %>").result

HTML Purifier equivalent for Ruby on Rails?

Has anyone encountered an equivalent to HTMLPurifier for Rails apps? Essentially I need to clean up often terribly formed HTML generated by users before saving to the DB.
http://htmlpurifier.org/
You can use the sanitize method.
sanitize(html)
There is also a Sanitize gem.
Sanitize.clean(html)
I tend to prefer the Sanitize gem because it can be used as a before_save filter in your models instead of having to use the sanitize method in each of your views.

Rails automatically escpaping HTML - how to stop it?

I'm working on upgrading an old Rails app (1.1.6) to Rails 3. Obviously, a lot has changed. One thing appears to be that Rails automatically escapes content dropped into the view. However, I have a situation where I have a helper generating IMG tags for me, and Rails is automatically escaping the resulting content.
<%= random_image('public/images/headers') %>
This results in escaped content, much like one would expect had I done this (in 1.1.6)
<%= h random_image('public/images/headers') %>
Is there a way to tell it to not escape?
<%= raw random_image('public/images/headers') %>
.html_safe
It may need to be inside the helper
There are there ways in which this can be achieved in rails 3 application
html_safe
raw
h
raw and h can only be used in controller and views these methods are defined in helpers.
html_safe can be used anywhere in a rails application i.e., can be used in models, helpers, controller etc.
For more information please read http://yehudakatz.com/2010/02/01/safebuffers-and-rails-3-0/

Resources