Rails automatically escpaping HTML - how to stop it? - ruby-on-rails

I'm working on upgrading an old Rails app (1.1.6) to Rails 3. Obviously, a lot has changed. One thing appears to be that Rails automatically escapes content dropped into the view. However, I have a situation where I have a helper generating IMG tags for me, and Rails is automatically escaping the resulting content.
<%= random_image('public/images/headers') %>
This results in escaped content, much like one would expect had I done this (in 1.1.6)
<%= h random_image('public/images/headers') %>
Is there a way to tell it to not escape?

<%= raw random_image('public/images/headers') %>

.html_safe
It may need to be inside the helper

There are there ways in which this can be achieved in rails 3 application
html_safe
raw
h
raw and h can only be used in controller and views these methods are defined in helpers.
html_safe can be used anywhere in a rails application i.e., can be used in models, helpers, controller etc.
For more information please read http://yehudakatz.com/2010/02/01/safebuffers-and-rails-3-0/

Related

How is <%= form_tag ... do %> implemented?

I'm trying to figure out how you can herald a Ruby block in a <%= ... %> emitter.
No problem with the '<% form_tag do %>' part, but as I dig into Rails internals
and see how it uses erb to process templates, the generated Ruby code is invalid,
due to that hanging 'do'. Is there a post-processor hiding in Rails somewhere that
straightens out the code before running it? If yes, where is it? If no, how does
Rails pull HTML and Ruby code out of this form?
Rails added a hack which uses a regular expression to figure out if what is passed to erb is a block expression and then handle it differently.
For a more detailed explanation: http://timelessrepo.com/block-helpers-in-rails3

Rails - javascript injections

I'm using Rails 3 and Ruby 1.9.2. I'm doing anything special when I'm displaying the content of my post, I'm just doing
<%=#post.content%>
When I add
"<script language='javascript'>alert('test');</script>"
to my post form of course it executes the javascript alert !
I tried adding the html_safe both before saving and before displaying but it didn't fix anything.
If I have to add any security code, will I have to add it before saving the post or before displaying it ? I heard that rails 3 was doing it itself so I didn't bother too much about security but I guess still there are some main things to be careful with.
Rails 3 is quite strict about escaping anything you put into your view, but in Rails 2 and earlier it was your responsibility to do this. You have to escape everything using the h helper method:
<%= h(value) %>
When building an application that accepts arbitrary user input you must be certain you are escaping anything and everything that shows up in the view.
Are you using Rails 3? The javascript stuff should automatically be escaped.
But for more info on preventing XSS, I'd just look at Ryan Bates' RailsCasts.

Async update of HTML element in Rails 3.1

I'm trying to update my DIV asynchronously. In Rails 2.3.8 I found out remote_form_tag where I could specify attribute :update => "DIV_TO_UPDATE". As I understood it was an easy way to do update html-element asynchronously, because developer didn't have to write JavaScript code!
But remote_form_tag was remoted in Rails 3 and methods form_for and form_tag don't contain attributes like :update. So I wonder if there is a way to do it in Rails 3.1?
PS I know how to do it with a little JavaScript (or CoffeeScript code) I'm looking for way without JS code at all.
I believe link_to_function is what you're after: http://apidock.com/rails/ActionView/Helpers/JavaScriptHelper/link_to_function
You can cheat by redirecting to the same url, if you'd like. It's an expensive operation. (You're just reloading the page, really.)
Horrible, I know. But it's what I did. I'm not very proud. :-(

In Rails, how to write a helper function "who_am_i" so that a view or partial can use it to report which file it is?

When designing for layout and styling with CSS, it might be useful to add a line in the view or partial:
<%= who_am_i %>
or if using haml:
= who_am_i
so that it will print on the webpage
this is view/products/_footer.html.haml
How can this helper be written? (or is there one already in Rails?)
(my first try was to use __FILE__ and do some manipulation with string, and it works well if everything is done inside the view or partial file, but when it moves to helper, then __FILE__ becomes helpers/application_helper.rb so it won't work. But I'd like to find out possibly better ways to do it)
Your helper method should be:
def who_am_i
#template.template
end
Rails 3
def who_am_i
#_virtual_path
end
Note:
I tested the solution in Rails 3.0.5 and it works. I am not certain that it will work in all scenarios. Use with caution.

Issue with Haml files

Hi i converting rails views from erb to Haml .The issue i faced is when use the form_for the haml throws the UNEXPECTED $end error. I am sure i did the space indentation well with in form_for .......Even if i use "each do" loop is says the same error. if i revert the haml to erb it works fine.
Rails version i used : 2.3.2 & i installed haml gem 2.2.19 as well as haml plugin also.
my controller code :
def new
#user = User.new
end
My View code :
.contentContainer.signup
- form_for(#user) do |f|
Make sure your haml indentation is perfect.
.contentContainer.signup
- form_for(#user) do |f|
= f.text_field :name
Are you including - end in your templates? Haml takes care of ends for you, so if you add your own, it won't work.
Can you paste your entire template (in a code block, so it's formatted properly)?
There's also a good command-line tool to make transition easier: html2haml. It doesn't always produce the prettiest haml, but it certainly works.
Hey, there's even a web-based form for this: http://html2haml.heroku.com/
Generally, be sure your indentation is perfect. haml is very particular about indentation. If you use a decent editor (such as textmate or vim) this is an easy task.
If the last line in file is indented there has to be an addidtional, empty line.

Resources