Rails 3 HTML Injection - ruby-on-rails

Currently following the Learning Rails Screencasts at http://www.buildingwebapps.com/learningrails, making any necessary changes to work in Rails 3. However, in the tenth episode, I'm having a problem when rendering html code out of the database. The Page model in the tutorial has a body field, where the html of each page is put. The viewer controller's 'show' method grabs a Page from the database, and yields the contents of #page.body into the view. However, instead of rendering tags such as h1 properly, when I view the html source in the browser my tags are being rendered as <h1;#gt. Is there any way I can fix this?
Just for reference, my 'show' view is as follows:
<%= #page.body %>

Try this:
<%= raw(#page.body) %>
Raw method prevents escaping HTML characters.

Related

While working on somehat large codebase how do you find which rails partial rendered particular part of html?

On a codebase with a large number of views I want to see which Rails partial rendered a portion of html on the page.
I, for example, am working on some part of a page and want to find out what partial rendered that so I can modify it there, I need to check the class of that HTML tag if it has any and go through the source code and find the corresponding partial. Is there an easy way to directly get to the source partial with output HTML annotated with source prtials?
You could always add a custom css class, and then find it in the rendered html. For example, in your Ruby code you could do something like
content_tag(:p, "Hello", class: "test-foo")
Then in your html, find the element with that css class
<p class="test-foo">Hello</p>

Div tag issue in partial form

I've used div id tag, which used to give me drop down in index.html it worked fine, and when I used it in partial form the div part is not working.
I've used JavaScript and Ajax as well.
The code is like this..
<div title="Show More" class="show_more"></div>
If the issue is after adding a partial it is possible your code needs the addition of
locals:
or
collection:
See this post for more info on how to Pass a variable into a partial, rails 3?
the javascript was not being called, so I had to use it again in my partial form and it worked.

Keeping track of which view a partial is called from

I call the same partial from multiple views in Rails, the show page and the edit page. How can I keep track of which view the partial is called from? More specifically, I would like to adapt the partial slightly depending on which page it is rendered from. I have tried to request the uri using url_for(:only_path => true) and if-else statements to determine if the partial is rendered on the show or edit page, but this is a bit cumbersome. Is there a better approach?
you can try to use current_page? helper, i.e. if current_page?(root_path)
We put this in our application.html.erb template which shows the current controller, view and more debug information:
<%= debug(params) if Rails.env.development? %>
I think we got this from the Rails site:
http://guides.rubyonrails.org/debugging_rails_applications.html

Including a .text.erb partial in a .html.erb template? (Invoice)

I'm porting an application to Rails 3.
We're an e-commerce site and naturally we send copies of tax invoices by email. We use plain text, so a .text.erb seems logical.
We also display invoices in an area of the user profile, inside <pre></pre> tags. Is there are way I can share a partial between plain text mailer templates, and views in HTML? If I try to render "shared/invoice" inside my HTML ERB template, it says the partial doesn't exist, and that's because it's a .text.erb partial.
What are my options, without duplicating code?
I haven't tried this in Rails 3, but in Rails 2 you could specify the format of the partial. Might be worth giving it a go on Rails 3.
render :partial => "shared/invoice.text.erb"

Rendering a partial within "<code" or "<pre>" tags with jQuery and Rails

I am working on a simple Rails/jQuery HTML templater app which stores a series of pre-designed templates in a database (at the moment I've just saved these as partials to get the basic concept working) and on clicking 'Show code' alongside any one of these template records, a js.erb script should place the corresponding partial within 'pre' tags dynamically via JS on that page so the user can see the raw html code.
At the moment it's working but I get the rendered html coming back and not the raw HTML that I'm looking for. Here's the js:
$("div#template-view").html("<pre><code><%= escape_javascript( render :partial => "core_template") %></code></pre>");
So pray tell, what obvious thing am I missing!? :-)
Thanks
Allan
Use
$("div#template-view").text("...")
instead. This will not parse the code
The pre tag will show source code (or any text) in a reasonable approximation to it's original state, but it won't escape html for you. Unescaped html will always be rendered as html regardless of what tag it happens to be in. By escaped i mean that all the special characters are converted to their escaped versions. The rails method h will do this for you, so if you call h with the results of calling escape_javascript then it should work fine.
$("div#template-view").html("<pre><code><%= h(escape_javascript(render :partial => "core_template")) %></code></pre>");

Resources