Ruby Building Web Apps with Sinatra Finishing Touches Summary

Robert Hopman
Robert Hopman
16,502 Points

Sinatra: 2 parts: 1. about <%= escape @content %> 2 about the additional exercise of the overview.

Hey there,

Part 1 Since I've implemented in wiki.rb the following

def escape(string)
  Rack::Utils.escape_html(string)
end

the output of the <%= escape @content %> look like code...

first, is this correct? second, how can I fix this? third, is the CGI fix also safe in terms of security: I've looked into nokogiri and CGI and tried those. Currently the only thing that works is:

def raw_text(string)
  CGI.escapeHTML(string)
end

and then replacing escape @content with raw_text @content

cc Jay McGavren

part 2

my overview.rb lookes like this, this might be useful for other people as well :)

<h3>All pages</h3>
<ul>
  <% d = Dir.entries("pages")   %>
  <% d.each do |page| %>
    <% page = File.basename("#{page}", ".txt") %>
    <% if page != '.' && page != '..' %>
      <a href="/<%= page %>">
        <%= page %>
      </a>
    <% end %>
  <% end %>
</ul>
Jay McGavren
Jay McGavren
Treehouse Teacher

Robert Hopman There's a lot of room for miscommunication here, so, to be specific: I'm assuming that you've made an entry like this in your wiki:

<script>alert('boo');</script>

If you viewed that without embedding <%= escape @content %>in your template, you should get an alert dialog saying "boo". However, after you embed <%= escape @content %> in your template, what you see should look like the original text you entered (<script>alert('boo');</script>). And that's OK. As long as you don't see an actual dialog, it means the JavaScript code is not running, which is what you want.

Sam Donald
Sam Donald
36,301 Points

Also you can move your escape method into the save_content method so the users input is escaped on submit, before it even makes it into the database.

This has the benefit of less code, and keeping your .erb files more readable. IMO