I need to allow users the ability to create lessons, which consist of HTML and form elements. I want them to be able to take advantage of Rails' form helpers and general Ruby code to, for example, decide where and how to display error content. I realize there are security issues with giving them access to execute Ruby code, but I'll have to deal with that later if users will share deployments.
So it seems I should store the ERB files in the database and somehow call them with <%= render content_from_database %>. Is this possible? Will I affect Rails caching in some way?
Using latest Rails with Heroku (no writing to filesystem).
You should take a look at the Liquid template language
From their tagline:
Ruby library for rendering safe templates which cannot affect the
security of the server they are rendered on.
Related
I have a existing project in Ruby on Rails.
What is the best way to use AngularJS in Ruby on Rails app?
I want to use AngularJs for only specified modules, not for create SPA. This is good way?
What I have seen colleagues do in order to achieve this sort of integration with an existing rails app is:
Include angular.js and relevant dependencies in the specific app pages that are to be 'angularized'
Interpolate whatever data is needed to bootstrap the angular controller into the html template which contains the angular app. This might include data about the resource being operated on. I've seen this done by rendering a RABL template inside of a haml/erb template.
Using that interpolated data, call whatever API methods you need to get additional data on the fly. This is usually just a matter of implementing json handlers for routes you've already created.
I can't say whether this is best practice, but its an easy way to get started fast.
Best of luck, angular is a very enjoyable tool to work with once you get used to it.
I was using backbone standalone for some time but currently I am trying to integrate it with Rails. Until now I used underscore templates and the question would be if it is possible to use Rails view helpers inside the template and if it is smart thing to do at all?
Update: Here is a simple example what I am talking about.
I have a list of messages and I have a MessageView for each message, I want to render the avatar thumbnail of the message author, link to his profile and description when the message was posted. Also I use markdown for the message content. With underscore templates I don't have access to the helpers to achieve this so I am forced to create methods on the model itself which feels really wrong...
You should take a look at the EJS Embedded JavaScript Framework, which provides rails-like standard view helpers like link_to, url_for, and other form tags.
Of course, you will have to translate your custom rails templates in js, but it's a start !
I ran into the same problem where I wanted to reuse my templates between Backbone and Rails. I ran into stache before: https://github.com/agoragames/stache
You can read more about the setup here: http://slainer68.wordpress.com/2011/09/20/partial-reuse-between-rails-js-the-easy-way/
Right out of the box, your underscore templates are pure javascript, so, in that sense, you can't really embed rails helpers into them. You can, however, make those templates ejb's (or whatever templating system you use) and have rails render them. With so little information, it's impossible to figure out what your app does, but it does feel weird to me to do that. I think, typically, your javascript templates are used for rendering html on the host side after some js functionality. Maybe a better description of what you are trying to accomplish?
Update ...
So you have some set of relationships between messages and authors in your rails models correct? You'd do a similar thing in your backbone models. So, you've got a User model, and a Message model. User has_many Messages, and Message has_one User. You can model that out in backbone as well... see my answer here:
Backbone set collection attribute (for the url)
You just need to describe the relationship on the backbone side.
I'm looking to code a rails app that will only display an index page. It will not use any database access. All functionality will be implemented using one controller and javascript. What's the minimum number of files and directory structure needed for an app like this?
If that is all you want, why Rails?
Rails is a very complex framework that gives you a bunch of functionality at your fingertips. But if you specifically say you won't be using any of it (only one controller, so no routes to worry about, no database, so no models either, only one page, so layouts are meaningless...), why not just write a Sinatra app?
With Sinatra, you can write everything in one Ruby file. If you really want to, you can even pack all the templates in it, but that's overdoing it a bit. Thus, I'd say, 1 .rb, 1 or more templates (if you use partials), 1 .js and 1 .css.
I want to make a CMS where I can edit the view and css files online in my browser.
How can it be done? Does everything have to be in a database?
Generally Stack Overflow is not for research, it's for problem solving. That said…
No, your editable assets do not have to be in a database for this to work.
But you want them to be anyways; allowing write access to the files in your application isn't the best approach.
The rendering chain of Rails 3 allows you to sub in your own view parser and add a path to the built in view-finding that you can trick into loading from a database relatively easily.
Having your end users write in something like Liquid templates will save you a lot of work and allow this to happen with relative ease. They won't have access to unsafe Ruby methods, and you won't have to go through all the work of sandboxing them in Ruby.
CSS has fewer security implications, so you can fairly easily store raw CSS in the database and allow your users to edit it to their liking and then serve it up with a request to a stylesheets/:user_id/style.css request (with some heavy caching, like with Varnish, to save your application from being murdered).
Hopefully that'll get you started out in the right direction. If you decide to hook into the rendering stack in Rails I strongly suggest you pickup a copy of Crafting Rails Applications — one of the handful of example applications it walks you through does just that at a fairly granular level.
I'm currently in the process of writing my first Rails app. I'm writing a simple blog app that will allow users to comment on posts. I'm pretty new to Rails, so I'm looking for a bit of guidance on how to address security concerns with user input.
On the front end, I am using TinyMCE to accept user input. It is my understanding that TinyMCE will strip out any suspicious tags (e.g. <script>) from user input before posting to server. It seems that this could be bypassed by disabling javascript on the page, allowing a user to have free reign in the text area. TinyMCE recommends using javascript to create the TextArea. Therefore if the user disables javascript, there will be no text area. Is this the standard solution? It seems like a bit of a hack.
On the back end, what is the best way to strip out malicious code? Would I want to put some sort of validation in the create and update methods inside my comments controller? Is there some functionality built into Rails that can assist with this?
When displaying the information back out to the user, I'm assuming that I don't want to escape the HTML markup (with <%= h *text*%>), because that's how its stored in the back end. Is this bad practice?
I'm generally a big fan of cleaning out the data prior popping that stuff into the database. This is a debatable practice, but I usually lean toward this.
I use a modified version of the old white_list plugin to not strip out the html, but to convert anything I do want into a safer format.
<tag>
becomes
<tag>
This way I'm not really altering the content of the submission.
There are some plugins that specifically handle sanitization using a white/black list model.
http://github.com/rgrove/sanitize/ # Have not used, but looks very interesting
http://github.com/imanel/white_list_model # Used, not bad
There is also act_as_sanitized, but I have no real info on that.
And of course using the h().
Your suspicions are justified, but the creation of a text area in javascript won't make you any less vulnerable. A user could always use something like curl to force a form submission without ever visiting your site through a web browser.
You should assume that a user can post malicious scripts into the comments, and escape it on the frontend. Using <%= h(...) %> is one way to do it, or you can use the sanitize method in the same way. It will strip any scripts and escape all other html except for a few common tags that aren't harmful. Documentation for sanitize.
In addition to nowk's suggestions there is also the xss_terminate plugin. I have been using it in some of my applications. I found it to be easy to use, it needs almost no configuration, and has been working like a charm.