Rails 3 unwanted html escaping - ruby

I am converting my fat Rails2 application to run on Rails3. After a long intense fight with an army of bugs and my bosses yells, the page is all rendered as an escaped html string. So all the divs, images etc. are written literally for the user.
For some reason this call of a partial renders an escaped string
<%= render :partial => 'something_really_interesting' %>
As all Ruby on Rails application this instruction is not called very much! So how would I handle all these calls to not render normally not as an escaped string?

Use <%= raw bla %> in inside the partial file.
http://github.com/rails/rails/blob/3270c58ebb3143b3ab3b349fe339cdd4587468ee/actionpack/lib/action_view/helpers/raw_output_helper.rb#L13
Rails 3 automatically makes everything safe. You need to put raw to escape the behavior. That also means you don't have to use h() method to make your string safe any more.

Related

Why do we use html_safe?

Unable to understand as to why we use html_safe than the conventional html to be rendered.
def group(content)
html = "".html_safe
html << "<div class='group'>".html_safe
html << content
html << "</div>".html_safe
html
end
I agree html_safe doesn't make much sense in this example because content_tag would be much shorter, easier to read and would automatically escape the user input:
def group(content)
content_tag(:div, content, class: 'group')
end
In Rails HTML ERB templates, strings passed into it are HTML escaped (to prevent Cross Site Scripting, which is injecting HTML code into your string so that attackers can execute JavaScript on visitors of your site). However, sometimes we know that our string is safe for HTML and don't want it to be escaped so that the HTML can actually be rendered. We do this by calling .html_safe on a string to mark it as being safe for HTML rendering. You generally want to avoid using this as much as possible since it makes it easier to make a mistake and cause XSS to be a possible attack on your site.

Middleman not rendering markdown and erb

I'm working on a project using Middleman. In one of the pages (videos.html.markdown.erb), I'd like to add partials working with both markdown and Middleman helpers.
<h3><%= video.title %> : RĂ©cit de tournage</h3>
<%= partial "partials/shootandlook1" %>
</div>
It works fine except that Markdown is not converting into HTML... :-(
I named my partial _shootandlook1.html.markdown.erb and my page videos.html.markdown.erb.
I really don't understand what I did wrong... Could someone please help me?
The whole source code is here.
Many, many thanks in advance!
This should work fine if you name your page template file videos.html.erb, and name your content partial _shootandlook1.md.
The Markdown file will be processed first, then inserted into the ERB template appropriately.
I usually find that it's best to avoid having multiple template formats in one file, unless the format explicitly supports blocks (like Haml)

Using content_for and yield_content in Ramaze

Sinatra has sinatra/contrib to asist with this, what's the equivalent in Ramaze? I'm using Erubis by the way. Also, a quick Google search shows up really old pages that insist setting variables in the controllers and using them in the views.
Edit 1:
Taken from the gem documentation (http://www.sinatrarb.com/contrib/content_for.html)
You call content_for, generally from a view, to capture a block of markup giving it an identifier:
# index.erb
<% content_for :some_key do %>
<chunk of="html">...</chunk>
<% end %>
Then, you call yield_content with that identifier, generally from a layout, to render the captured block:
# layout.erb
<%= yield_content :some_key %>
I don't think Ramaze can do this natively. But you could quite easily do this manually, write a helper to do this, or even fill-in a Hash instance.
You might also want to look at partials if you need to render small chunks of HTML in loops.
You could also combine render_partial, store results in a hash, and yield it's content in the layout.
If the use case is something like rendering a sidebar, you probably want to write a helper so you take the logic out of your views.
A trivial example is here : https://github.com/Ramaze/ramaze/wiki/Adding-a-dynamic-sidebar-in-a-layout

HAML -> Backbone Template, Unescaping HTML Parameters

I'm using HAML to generate templates for a Backbone.js app. I need to be able to insert <%= blah %> as an html attribute a la:
%a{:href => "myresources/<% id %>"} My Resource
and have it output
<a href='myresources/<%= id %>' >My Resource</a>
in the html template. Unfortunately, HAML escapes the html parameters leaving me with
<a href='#myresources/<%= id %>'>My Resource</a>
According to the HAML Reference the '!' operator can be used for unescaping strings, but not within the HTML attributes.
Also, I'd use plaintext to render the anchor tag, but since the anchor tag is the root for this particular view, I lose all of the benefits of using HAML.
Any help?
Update
I didn't mention, but I'm using LiveReload to actually watch my file system and run the haml compiler, and there was a setting in LiveReload to disable HTML escapes in tag attributes. < head slap > If anyone else runs into this issue outside of LiveReload, you can also set the :escape_attrs option to false when configuring your HAML setup.
You can configure HAML to not escape tag attributes using the escape_attrs option in your HAML configuration. See HAML Options.
You can try using html_safe which is a method on String objects. This will escape the html characters in the variable statement (< for example) and will leave the intact for underscore to evaluate at runtime:
%a{:href => "myresources/<% id %>".html_safe} My Resource
Found on answer to Interpolate inside html attributes with Underscore.js

HTML Encoding Strings - ASP.NET Web Forms VS Razor View Engine

I'm not quite sure how this works yet... trying to find documentation.
In my existing app I've got two different ways of rendering strings in my View
<%: model.something %>
<!-- or -->
<%= model.something %>
The first one is html encoded, and the second one is not.
Is there something similarly short in Razor? All I can find is this, which is the encoded version.
#model.something
I guess the best approach would be to use the Raw extension-method: #Html.Raw(Model.Something)
#Model.Something automatically HTML encodes. If you want to avoid HTML encoding (and you want this only if you are absolutely sure what you are doing) you could use #MvcHtmlString.Create(Model.Something) (basically everything that implements IHtmlString won't be encoded). Phil Haack blogged about the Razor view engine syntax.

Resources