I was to sanitize all the ruby variable I am using in my view. I know of sanitize method in rails. Is there any way to avoid writing sanitize before all the variable. In other words if I have 10 ruby variables in a view, I have to write sanitize in front of all to achieve sanitisation. Is there a way such that I just have to call the method once and all the variables get sanitized .
Related
I am interested in understanding how find_by_(column_name) works.
How does Ruby on Rails dynamically define the method on calling find_by_id, find_by_name, etc?
This is the power of meta programmation in Ruby, and more specifically the method_missing method: https://ruby-doc.org/core-2.1.0/BasicObject.html#method-i-method_missing
When you call a method on an instance of a Class that is not defined in that class, the method_missing catches it and you can handle it there.
I have a large number of views in my Rails application that both:
Have a consistent and repeated structure, and
Involve the use of helpers that accept large hash inputs.
As such, I would like to write these views directly in Ruby (using a DSL/helpers that I would write).
How can I get Rails to allow me to write .html.rb views?
Thanks!
Add an initializer with:
ActionView::Template.register_template_handler(:rb, :source.to_proc)
Then you can write .html.rb views in ruby, they should return a String of the desired context when executed.
I am using the ERB engine to generate an offline HTML version of a page of my Rails website. The page shows great when shown by Rails, but I have trouble generating with ERB by myself (despite using the same ERB template).
First I was getting the error undefined method 't' and I solved it by replacing all <%=t(...)%> calls with <%=I18n.translate(...)%>.
Now I get undefined method 'raw'. Should I replace all <%=raw(...)%> calls with something else? If yes, what?
raw is defined as helper in actionpack/action_view library so that without rails you can't use it. But ERB templating shows its output without any escaping:
require 'erb'
#person_name = "<script>name</script>"
ERB.new("<%= #person_name %>").result # => "<script>name</script>"
And because of this for purpose of escaping there is ERB::Util#html_escape method
include ERB::Util
ERB.new("<%= h #person_name %>").result # => "<script>name</script>"
While #warhog 's answer will work, the include isn't necessary. It adds all the ERB::Util methods to the current class, which usually isn't desired and can cause unexpected side effects (if you had another h method for example). Instead just access the h method (or other helpers) using the ERB::Util class:
ERB.new("<%= ERB::Util.h #person_name %>").result
Has anyone encountered an equivalent to HTMLPurifier for Rails apps? Essentially I need to clean up often terribly formed HTML generated by users before saving to the DB.
http://htmlpurifier.org/
You can use the sanitize method.
sanitize(html)
There is also a Sanitize gem.
Sanitize.clean(html)
I tend to prefer the Sanitize gem because it can be used as a before_save filter in your models instead of having to use the sanitize method in each of your views.
I'm working on upgrading an old Rails app (1.1.6) to Rails 3. Obviously, a lot has changed. One thing appears to be that Rails automatically escapes content dropped into the view. However, I have a situation where I have a helper generating IMG tags for me, and Rails is automatically escaping the resulting content.
<%= random_image('public/images/headers') %>
This results in escaped content, much like one would expect had I done this (in 1.1.6)
<%= h random_image('public/images/headers') %>
Is there a way to tell it to not escape?
<%= raw random_image('public/images/headers') %>
.html_safe
It may need to be inside the helper
There are there ways in which this can be achieved in rails 3 application
html_safe
raw
h
raw and h can only be used in controller and views these methods are defined in helpers.
html_safe can be used anywhere in a rails application i.e., can be used in models, helpers, controller etc.
For more information please read http://yehudakatz.com/2010/02/01/safebuffers-and-rails-3-0/