sanchojaf/gist:dc1a28606120d5a56099

## gistfile1.txt
view = ActionView::Base.new

view.formats
=> [:html, :text, :js, :css, :ics, :csv, :vcf, :png, :jpeg, :gif, :bmp, :tiff, :mpeg, :xml, :rss, :atom, :yaml, :multipart_form, :url_encoded_form, :json, :pdf, :zip]

ActionView::Base.new.render(inline: "Hello world!")
=> "Hello world!"

view.render(inline: "<h1> <%= 4 +1 %> Hello world!</h1>")
=> "<h1> 5 Hello world!</h1>"

product = [{:name=>"video", :price=>100, :sku=>"A10001"}, {:name=>"silla", :price=>20, :sku=>"B20001"}]

view.render(inline: "<h1> Product <%= product[0][:name] %>", locals: {product: product})
=> "<h1> Product video</h1>"

view.render(text: " Product #{product[0][:name]}")
=> " Product video"

view.render(inline: "<h1> <%= distance_of_time_in_words(Time.now, Time.now + 15.seconds)  %> </h1>")
=> "<h1> less than a minute </h1>"

view.render(inline: "<h1> <%= select_date(DateTime.now + 6.days)  %> </h1>")
=> "<h1> <select id=\"date_year\" name=\"date[year]\">\n<option value=\"2010\">2010</option>\n<option value=\"2011\">2011</option>\n<option value=\"2012\">2012</option>\n<option value=\"2013\">2013</option>\n<option value=\"2014\">2014</option>\n<option selected=\"selected\" value=\"2015\">2015</option>\n<option value=\"2016\">2016</option>\n<option value=\"2017\">2017</option>\n<option value=\"2018\">2018</option>\n<option value=\"2019\">2019</option>\n<option value=\"2020\">2020</option>\n</select>\n<select id=\"date_month\" name=\"date[month]\">\n<option selected=\"selected\" value=\"1\">January</option>\n<option value=\"2\">February</option>\n<option value=\"3\">March</option>\n<option value=\"4\">April</option>\n<option value=\"5\">May</option>\n<option value=\"6\">June</option>\n<option value=\"7\">July</option>\n<option value=\"8\">August</option>\n<option value=\"9\">September</option>\n<option value=\"10\">October</option>\n<option value=\"11\">November</option>\n<option value=\"12\">December</option>\n</select>\n<select id=\"date_day\" name=\"date[day]\">\n<option value=\"1\">1</option>\n<option value=\"2\">2</option>\n<option value=\"3\">3</option>\n<option value=\"4\">4</option>\n<option value=\"5\">5</option>\n<option value=\"6\">6</option>\n<option value=\"7\">7</option>\n<option value=\"8\">8</option>\n<option value=\"9\">9</option>\n<option value=\"10\">10</option>\n<option value=\"11\">11</option>\n<option value=\"12\">12</option>\n<option value=\"13\">13</option>\n<option value=\"14\">14</option>\n<option value=\"15\">15</option>\n<option value=\"16\">16</option>\n<option value=\"17\">17</option>\n<option value=\"18\">18</option>\n<option value=\"19\">19</option>\n<option value=\"20\">20</option>\n<option value=\"21\">21</option>\n<option value=\"22\">22</option>\n<option value=\"23\">23</option>\n<option value=\"24\">24</option>\n<option value=\"25\">25</option>\n<option value=\"26\">26</option>\n<option value=\"27\">27</option>\n<option value=\"28\">28</option>\n<option selected=\"selected\" value=\"29\">29</option>\n<option value=\"30\">30</option>\n<option value=\"31\">31</option>\n</select>\n </h1>"

view.render(inline: "<h1> <%= check_box_tag 'accept'  %> </h1>")
=> "<h1> <input id=\"accept\" name=\"accept\" type=\"checkbox\" value=\"1\" /> </h1>"


view.render(inline: '<h1> <%= number_to_currency(1234567890.50)  %> </h1>')
=> "<h1> $1,234,567,890.50 </h1>"

view.render(inline: '<h1> <%= number_to_phone(1235551234)   %> </h1>')
=> "<h1> 123-555-1234 </h1>"

body = "<a href='http://rubyonrails.org'>Ruby on Rails</a>"
view.render(inline: "<h1> <%= strip_links(body) %> </h1>", locals: {body: body})
=> "<h1> Ruby on Rails </h1>"

body = "<b>Bold</b> no more!  <a href='more.html'>See more</a>"
view.render(inline: "<h1> <%= strip_tags(body) %> </h1>", locals: {body: body})
=> "<h1> Bold no more!  See more </h1>"

body = "alert('All is good')"
view.render(inline: "<h1> <%= javascript_tag(body) %> </h1>", locals: {body: body})
"<h1> <script>\n//<![CDATA[\nalert('All is good')\n//]]>\n</script> </h1>"

Sanitization
Most text helpers by default sanitize the given content, but do not escape it. This means HTML tags will appear in the page but all malicious code will be removed. Let's look at some examples using the simple_format method:
body = '<a href="javascript:alert(\'no!\')">Example</a>
=> ActionView::Base.new.render(inline: "<%= simple_format(body) %>", locals: {body: body})
=> "<p><a>Example</a></p>"

load 'builder.rb'
body = <<-EOT
  xml.em("emphasized")
  xml.em { xml.b("emph & bold") }
  xml.a("A Link", "href" => "http://rubyonrails.org")
  xml.target("name" => "compile", "option" => "fast")
EOT
ActionView::Base.new.render(:inline => eval(body),formats: :xml, handlers: :builder)
=> "<inspect/>\n<inspect/>\n<em>emphasized</em>\n<em>\n  <b>emph &amp; bold</b>\n</em>\n<a href=\"http://rubyonrails.org\">A Link</a>\n<target name=\"compile\" option=\"fast\"/>\n<em>emphasized</em>\n<em>\n  <b>emph &amp; bold</b>\n</em>\n<a href=\"http://rubyonrails.org\">A Link</a>\n<target name=\"compile\" option=\"fast\"/>\n"

ActionView::Base.new.render(:inline => eval(body),formats: :json, handlers: :rabl)

Rabl::Builder.new(nil, { :attributes => [ { :name => :name } ] })


xml.em("emphasized")
xml.em { xml.b("emph & bold") }
xml.a("A Link", "href" => "http://rubyonrails.org")
xml.target("name" => "compile", "option" => "fast")


<%- headers = ['Status', 'Amount'] -%>
<%= CSV.generate_line headers %>
<%= CSV.generate_line([object.status, object.amount]) %>

<% if object.payment > 100 %>
input_data = '5 debe ser <%= 4 + 1 %>';
data = escape(input_data);
data = input_data.replace("+", "%2B");
data = input_data.replace("/", "%2F");
<% else %>
input_data = 'pago insuficiente';
<% end %>
	view = ActionView::Base.new

	view.formats
	=> [:html, :text, :js, :css, :ics, :csv, :vcf, :png, :jpeg, :gif, :bmp, :tiff, :mpeg, :xml, :rss, :atom, :yaml, :multipart_form, :url_encoded_form, :json, :pdf, :zip]

	ActionView::Base.new.render(inline: "Hello world!")
	=> "Hello world!"

	view.render(inline: "<h1> <%= 4 +1 %> Hello world!</h1>")
	=> "<h1> 5 Hello world!</h1>"

	product = [{:name=>"video", :price=>100, :sku=>"A10001"}, {:name=>"silla", :price=>20, :sku=>"B20001"}]

	view.render(inline: "<h1> Product <%= product[0][:name] %>", locals: {product: product})
	=> "<h1> Product video</h1>"

	view.render(text: " Product #{product[0][:name]}")
	=> " Product video"

	view.render(inline: "<h1> <%= distance_of_time_in_words(Time.now, Time.now + 15.seconds) %> </h1>")
	=> "<h1> less than a minute </h1>"

	view.render(inline: "<h1> <%= select_date(DateTime.now + 6.days) %> </h1>")
	=> "<h1> <select id=\"date_year\" name=\"date[year]\">\n<option value=\"2010\">2010</option>\n<option value=\"2011\">2011</option>\n<option value=\"2012\">2012</option>\n<option value=\"2013\">2013</option>\n<option value=\"2014\">2014</option>\n<option selected=\"selected\" value=\"2015\">2015</option>\n<option value=\"2016\">2016</option>\n<option value=\"2017\">2017</option>\n<option value=\"2018\">2018</option>\n<option value=\"2019\">2019</option>\n<option value=\"2020\">2020</option>\n</select>\n<select id=\"date_month\" name=\"date[month]\">\n<option selected=\"selected\" value=\"1\">January</option>\n<option value=\"2\">February</option>\n<option value=\"3\">March</option>\n<option value=\"4\">April</option>\n<option value=\"5\">May</option>\n<option value=\"6\">June</option>\n<option value=\"7\">July</option>\n<option value=\"8\">August</option>\n<option value=\"9\">September</option>\n<option value=\"10\">October</option>\n<option value=\"11\">November</option>\n<option value=\"12\">December</option>\n</select>\n<select id=\"date_day\" name=\"date[day]\">\n<option value=\"1\">1</option>\n<option value=\"2\">2</option>\n<option value=\"3\">3</option>\n<option value=\"4\">4</option>\n<option value=\"5\">5</option>\n<option value=\"6\">6</option>\n<option value=\"7\">7</option>\n<option value=\"8\">8</option>\n<option value=\"9\">9</option>\n<option value=\"10\">10</option>\n<option value=\"11\">11</option>\n<option value=\"12\">12</option>\n<option value=\"13\">13</option>\n<option value=\"14\">14</option>\n<option value=\"15\">15</option>\n<option value=\"16\">16</option>\n<option value=\"17\">17</option>\n<option value=\"18\">18</option>\n<option value=\"19\">19</option>\n<option value=\"20\">20</option>\n<option value=\"21\">21</option>\n<option value=\"22\">22</option>\n<option value=\"23\">23</option>\n<option value=\"24\">24</option>\n<option value=\"25\">25</option>\n<option value=\"26\">26</option>\n<option value=\"27\">27</option>\n<option value=\"28\">28</option>\n<option selected=\"selected\" value=\"29\">29</option>\n<option value=\"30\">30</option>\n<option value=\"31\">31</option>\n</select>\n </h1>"

	view.render(inline: "<h1> <%= check_box_tag 'accept' %> </h1>")
	=> "<h1> <input id=\"accept\" name=\"accept\" type=\"checkbox\" value=\"1\" /> </h1>"


	view.render(inline: '<h1> <%= number_to_currency(1234567890.50) %> </h1>')
	=> "<h1> $1,234,567,890.50 </h1>"

	view.render(inline: '<h1> <%= number_to_phone(1235551234) %> </h1>')
	=> "<h1> 123-555-1234 </h1>"

	body = "<a href='http://rubyonrails.org'>Ruby on Rails</a>"
	view.render(inline: "<h1> <%= strip_links(body) %> </h1>", locals: {body: body})
	=> "<h1> Ruby on Rails </h1>"

	body = "<b>Bold</b> no more! <a href='more.html'>See more</a>"
	view.render(inline: "<h1> <%= strip_tags(body) %> </h1>", locals: {body: body})
	=> "<h1> Bold no more! See more </h1>"

	body = "alert('All is good')"
	view.render(inline: "<h1> <%= javascript_tag(body) %> </h1>", locals: {body: body})
	"<h1> <script>\n//<![CDATA[\nalert('All is good')\n//]]>\n</script> </h1>"

	Sanitization
	Most text helpers by default sanitize the given content, but do not escape it. This means HTML tags will appear in the page but all malicious code will be removed. Let's look at some examples using the simple_format method:
	body = '<a href="javascript:alert(\'no!\')">Example</a>
	=> ActionView::Base.new.render(inline: "<%= simple_format(body) %>", locals: {body: body})
	=> "<p><a>Example</a></p>"

	load 'builder.rb'
	body = <<-EOT
	xml.em("emphasized")
	xml.em { xml.b("emph & bold") }
	xml.a("A Link", "href" => "http://rubyonrails.org")
	xml.target("name" => "compile", "option" => "fast")
	EOT
	ActionView::Base.new.render(:inline => eval(body),formats: :xml, handlers: :builder)
	=> "<inspect/>\n<inspect/>\n<em>emphasized</em>\n<em>\n <b>emph & bold</b>\n</em>\n<a href=\"http://rubyonrails.org\">A Link</a>\n<target name=\"compile\" option=\"fast\"/>\n<em>emphasized</em>\n<em>\n <b>emph & bold</b>\n</em>\n<a href=\"http://rubyonrails.org\">A Link</a>\n<target name=\"compile\" option=\"fast\"/>\n"

	ActionView::Base.new.render(:inline => eval(body),formats: :json, handlers: :rabl)

	Rabl::Builder.new(nil, { :attributes => [ { :name => :name } ] })


	xml.em("emphasized")
	xml.em { xml.b("emph & bold") }
	xml.a("A Link", "href" => "http://rubyonrails.org")
	xml.target("name" => "compile", "option" => "fast")


	<%- headers = ['Status', 'Amount'] -%>
	<%= CSV.generate_line headers %>
	<%= CSV.generate_line([object.status, object.amount]) %>

	<% if object.payment > 100 %>
	input_data = '5 debe ser <%= 4 + 1 %>';
	data = escape(input_data);
	data = input_data.replace("+", "%2B");
	data = input_data.replace("/", "%2F");
	<% else %>
	input_data = 'pago insuficiente';
	<% end %>