The Shed is going Social! Join us on FaceBook and Twitter and chime in on the conversation.
|
 |
|
Dev Shed Forums
> Programming Languages
> Ruby Programming
|
Simple Ruby Question
Discuss Simple Ruby Question in the Ruby Programming forum on Dev Shed.
Simple Ruby Question Ruby and Ruby on Rails programming forum covering Ruby Tips and Tricks, Best Practices, and agile development with Ruby on Rails.
|
|
 |
|
|
|
|
Dev Shed Forums Sponsor:
|
|
|
December 29th, 2005, 04:58 PM
|
|
|
|
Simple Ruby Question
Don't really know where to go with this one, but I gotta know...
What is the difference between the two following pieces of code?
Code:
<%= h(truncate(product.description, 80)) %>
and
Code:
<%= truncate(product.description, 80) %>
This question could also be asked by asking what h() does.
|
January 8th, 2006, 02:54 PM
|
 |
fork while true;
|
|
Join Date: May 2005
Location: England, UK
|
|
|
h is a user defined function, clearly since it looks like nothing in the ruby library.
|
January 8th, 2006, 02:55 PM
|
 |
'fie' on me, allege-dly
|
|
Join Date: Mar 2003
Location: in da kitchen ...
|
|
|
and a bad choice of function name at that, as it's in no way meaningful to anyone but the original author (assuming of course that it isn't a core Ruby function)
__________________
--Ax
without exception, there is no rule ...
Handmade Irish Jewellery
Targeted Advertising Cookie Optout (TACO) extension for Firefox
The great thing about Object Oriented code is that it can make small, simple problems look like large, complex ones
 
09 F9 11 02
9D 74 E3 5B
D8 41 56 C5
63 56 88 C0
Some people, when confronted with a problem, think "I know, I'll use regular expressions." Now they have two problems. -- Jamie Zawinski
Deta vil - the devil is in the detail, allegedly, and I use the term advisedly, allegedly ... oh, no, wait I did ...
BIT COINS ANYONE
|
January 8th, 2006, 02:59 PM
|
|
fork while true;
|
|
Join Date: May 2005
Location: England, UK
|
|
|
Ruby doesn't have any core functions, they're all in classes.
eg. File access = `File` class.
myfile = new File("myfilename"){|z| print z}
|
January 8th, 2006, 07:32 PM
|
|
'fie' on me, allege-dly
|
|
Join Date: Mar 2003
Location: in da kitchen ...
|
|
|
and with that, I smiled, knowingly*, and walked to the next exhibit ...
*whaddhesay
|
January 12th, 2006, 10:36 AM
|
 |
Banned ;)
|
|
Join Date: Nov 2001
Location: Woodland Hills, Los Angeles County, California, USA
|
|
My Agile Web Development with Rails just arrived yesterday night. I opened the book this morning and by strange coincidence, I opened it on page 345 which had the exact answer.
h() is short for html_escape() in the rails framework. You can use either h() or html_escape(), but most rails programmers use h() by convention, because it saves them some typing. Basically, you can use this method to html_escape any data. Why should you do this? What if your product description has a & in it. To output an & into your browser, the HTML should have & instead of &. Similarly, you should have < and > instead of < and > in your code. Using h() will convert & to & and < and > to < and > and other such conversions.
There are more security implications too. Consider the following rails code:
Code:
Name is <%= params[:name] %>
where name is entered by the user from a form. Normally, you would expect users to just enter their name (say "Joe Schmoe") and it would show the page like this:
Now, what if the user enters their name like this:
%3Ch1%3EJoe Schmoe%3C/h1%3E
The funky stuff is URL encoded HTML for <h1>Joe Schmoe</h1> and thus our page will show the text in big font, when we didn't mean it to. Of course, the person could do something a lot worse instead by entering some javascript instead and execute a cross side scripting attack.
To prevent this, it is a good idea to html escape the output. You can use:
Code:
Name is <%= h(params[:name]) %>
and it will HTML encode the output safely, so it can't be exploited.
Incidentally, rails also provides the sanitize() method. The sanitize method takes a string and cleans up any dangerous HTML elements. <form>, <script> are escaped, any on= attribs (onclick=, onselect= etc.) and links with javascript : tags are removed.
__________________
Up the Irons
What Would Jimi Do? Smash amps. Burn guitar. Take the groupies home.
"Death Before Dishonour, my Friends!!" - Bruce D ickinson, Iron Maiden Aug 20, 2005 @ OzzFest
Down with Sharon Osbourne
Last edited by Scorpions4ever : January 12th, 2006 at 10:44 AM.
|
February 7th, 2006, 03:50 AM
|
|
'fie' on me, allege-dly
|
|
Join Date: Mar 2003
Location: in da kitchen ...
|
|
|
Y'see, you learn st*ff here, cheers Scorp
|
February 17th, 2006, 11:11 PM
|
|
Contributing User
|
|
Join Date: Aug 2004
Posts: 167
Time spent in forums: 16 h 21 m 39 sec
Reputation Power: 9
|
|
|
and, not to suggest anyone look elsewhere for help....
the rails community has amazing support: http://rubyonrails.com/community
i prefer #rubyonrails on IRC or the mailing list
|
February 18th, 2006, 06:00 AM
|
|
fork while true;
|
|
Join Date: May 2005
Location: England, UK
|
|
Quote: | Originally Posted by eriksays and, not to suggest anyone look elsewhere for help....
the rails community has amazing support: http://rubyonrails.com/community
i prefer #rubyonrails on IRC or the mailing list | #rubyonrails on freenode can be a good place, yes, but they can be twats as well, merely telling you to google, even if you spent an hour doing so already
|
Developer Shed Advertisers and Affiliates
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
Rate This Thread |
 Linear Mode
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
