#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2004
    Posts
    214
    Rep Power
    58

    Simple Ruby Question


    Don't really know where to go with this one, but I gotta know...

    What is the difference between the two following pieces of code?

    Code:
    <%= h(truncate(product.description, 80)) %>
    and

    Code:
    <%= truncate(product.description, 80) %>
    This question could also be asked by asking what h() does.
  2. #2
  3. fork while true;
    Devshed God 1st Plane (5500 - 5999 posts)

    Join Date
    May 2005
    Location
    England, UK
    Posts
    5,538
    Rep Power
    1050
    h is a user defined function, clearly since it looks like nothing in the ruby library.
  4. #3
  5. 'fie' on me, allege-dly
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2003
    Location
    in da kitchen ...
    Posts
    12,889
    Rep Power
    6444
    and a bad choice of function name at that, as it's in no way meaningful to anyone but the original author (assuming of course that it isn't a core Ruby function)
    --Ax
    without exception, there is no rule ...
    Handmade Irish Jewellery
    Targeted Advertising Cookie Optout (TACO) extension for Firefox
    The great thing about Object Oriented code is that it can make small, simple problems look like large, complex ones


    09 F9 11 02
    9D 74 E3 5B
    D8 41 56 C5
    63 56 88 C0
    Some people, when confronted with a problem, think "I know, I'll use regular expressions." Now they have two problems.
    -- Jamie Zawinski
    Detavil - the devil is in the detail, allegedly, and I use the term advisedly, allegedly ... oh, no, wait I did ...
    BIT COINS ANYONE
  6. #4
  7. fork while true;
    Devshed God 1st Plane (5500 - 5999 posts)

    Join Date
    May 2005
    Location
    England, UK
    Posts
    5,538
    Rep Power
    1050
    Ruby doesn't have any core functions, they're all in classes.

    eg. File access = `File` class.

    myfile = new File("myfilename"){|z| print z}
  8. #5
  9. 'fie' on me, allege-dly
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2003
    Location
    in da kitchen ...
    Posts
    12,889
    Rep Power
    6444
    and with that, I smiled, knowingly*, and walked to the next exhibit ...
    *whaddhesay
    --Ax
    without exception, there is no rule ...
    Handmade Irish Jewellery
    Targeted Advertising Cookie Optout (TACO) extension for Firefox
    The great thing about Object Oriented code is that it can make small, simple problems look like large, complex ones


    09 F9 11 02
    9D 74 E3 5B
    D8 41 56 C5
    63 56 88 C0
    Some people, when confronted with a problem, think "I know, I'll use regular expressions." Now they have two problems.
    -- Jamie Zawinski
    Detavil - the devil is in the detail, allegedly, and I use the term advisedly, allegedly ... oh, no, wait I did ...
    BIT COINS ANYONE
  10. #6
  11. Banned ;)
    Devshed Supreme Being (6500+ posts)

    Join Date
    Nov 2001
    Location
    Woodland Hills, Los Angeles County, California, USA
    Posts
    9,593
    Rep Power
    4207
    My Agile Web Development with Rails just arrived yesterday night. I opened the book this morning and by strange coincidence, I opened it on page 345 which had the exact answer.

    h() is short for html_escape() in the rails framework. You can use either h() or html_escape(), but most rails programmers use h() by convention, because it saves them some typing. Basically, you can use this method to html_escape any data. Why should you do this? What if your product description has a & in it. To output an & into your browser, the HTML should have &amp; instead of &. Similarly, you should have &lt; and &gt; instead of < and > in your code. Using h() will convert & to &amp; and < and > to &lt; and &gt; and other such conversions.

    There are more security implications too. Consider the following rails code:
    Code:
    Name is <%= params[:name] %>
    where name is entered by the user from a form. Normally, you would expect users to just enter their name (say "Joe Schmoe") and it would show the page like this:
    Code:
    Name is Joe Schmoe
    Now, what if the user enters their name like this:
    %3Ch1%3EJoe Schmoe%3C/h1%3E
    The funky stuff is URL encoded HTML for <h1>Joe Schmoe</h1> and thus our page will show the text in big font, when we didn't mean it to. Of course, the person could do something a lot worse instead by entering some javascript instead and execute a cross side scripting attack.

    To prevent this, it is a good idea to html escape the output. You can use:
    Code:
    Name is <%= h(params[:name]) %>
    and it will HTML encode the output safely, so it can't be exploited.

    Incidentally, rails also provides the sanitize() method. The sanitize method takes a string and cleans up any dangerous HTML elements. <form>, <script> are escaped, any on= attribs (onclick=, onselect= etc.) and links with javascript: tags are removed.
    Last edited by Scorpions4ever; January 12th, 2006 at 10:44 AM.
    Up the Irons
    What Would Jimi Do? Smash amps. Burn guitar. Take the groupies home.
    "Death Before Dishonour, my Friends!!" - Bruce D ickinson, Iron Maiden Aug 20, 2005 @ OzzFest
    Down with Sharon Osbourne

    "I wouldn't hire a butcher to fix my car. I also wouldn't hire a marketing firm to build my website." - Nilpo
  12. #7
  13. 'fie' on me, allege-dly
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2003
    Location
    in da kitchen ...
    Posts
    12,889
    Rep Power
    6444
    Y'see, you learn st*ff here, cheers Scorp
    --Ax
    without exception, there is no rule ...
    Handmade Irish Jewellery
    Targeted Advertising Cookie Optout (TACO) extension for Firefox
    The great thing about Object Oriented code is that it can make small, simple problems look like large, complex ones


    09 F9 11 02
    9D 74 E3 5B
    D8 41 56 C5
    63 56 88 C0
    Some people, when confronted with a problem, think "I know, I'll use regular expressions." Now they have two problems.
    -- Jamie Zawinski
    Detavil - the devil is in the detail, allegedly, and I use the term advisedly, allegedly ... oh, no, wait I did ...
    BIT COINS ANYONE
  14. #8
  15. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2004
    Posts
    167
    Rep Power
    10
    and, not to suggest anyone look elsewhere for help....

    the rails community has amazing support: http://rubyonrails.com/community

    i prefer #rubyonrails on IRC or the mailing list
  16. #9
  17. fork while true;
    Devshed God 1st Plane (5500 - 5999 posts)

    Join Date
    May 2005
    Location
    England, UK
    Posts
    5,538
    Rep Power
    1050
    Originally Posted by eriksays
    and, not to suggest anyone look elsewhere for help....

    the rails community has amazing support: http://rubyonrails.com/community

    i prefer #rubyonrails on IRC or the mailing list
    #rubyonrails on freenode can be a good place, yes, but they can be twats as well, merely telling you to google, even if you spent an hour doing so already

IMN logo majestic logo threadwatch logo seochat tools logo