Summary1:10 with Jay McGavren
You've just built a Sinatra app completely from scratch. Let's review all the concepts we had to learn to get here.
Sinatra has lots more functionality than we can cover in this course. You can learn more on the official Sinatra site.
Because we include the contents of a text file into the
We can prevent this by escaping any HTML code that appears in a page's content - replacing characters that would normally be treated as HTML markup with entities that are shown in the browser instead. For example, the above malicious code would look like this when it's escaped:
But it would look exactly like the original code when viewed in a browser. (It just wouldn't be executed or treated as markup.)
To escape any HTML that might appear in a string, we can call the
Rack::Utils.escape_html method on that string. We can add a method at the top of the
wiki.rb file that does this. There's a method in Rails named
h that does this same thing, so we'll name this method
h as well:
def h(string) Rack::Utils.escape_html(string) end
Rack::Utils library gets loaded when Sinatra does, so we don't need to
require it or anything.
Now that our new
h method is defined within
wiki.rb, we can call it within the
show.erb template. We can replace this line:
<p><%= @content %></p>
<p><%= h @content %></p>
It's generally a good idea to assume that users may enter malicious data into any form you provide to them. Escaping HTML is just one of many techniques developers use to limit the harm that can be done.
Looking to practice what you've learned? Here are some project ideas.
- In the wiki app, add a list of all the available wiki pages. The
Dirclass from Ruby core has an
eachmethod that will let you get a list of all the files in the
pages/subdirectory; you can use those to build clickable links.
- See if you can replicate the guestbook app from this course's code challenges. Add a feature to view a list of all the signatures, then give users the ability to create, update, or delete signatures.
You need to sign up for Treehouse in order to download course files.Sign up