Last active
August 29, 2015 14:14
-
-
Save sanchojaf/dc1a28606120d5a56099 to your computer and use it in GitHub Desktop.
play_with_action_view
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
view = ActionView::Base.new | |
view.formats | |
=> [:html, :text, :js, :css, :ics, :csv, :vcf, :png, :jpeg, :gif, :bmp, :tiff, :mpeg, :xml, :rss, :atom, :yaml, :multipart_form, :url_encoded_form, :json, :pdf, :zip] | |
ActionView::Base.new.render(inline: "Hello world!") | |
=> "Hello world!" | |
view.render(inline: "<h1> <%= 4 +1 %> Hello world!</h1>") | |
=> "<h1> 5 Hello world!</h1>" | |
product = [{:name=>"video", :price=>100, :sku=>"A10001"}, {:name=>"silla", :price=>20, :sku=>"B20001"}] | |
view.render(inline: "<h1> Product <%= product[0][:name] %>", locals: {product: product}) | |
=> "<h1> Product video</h1>" | |
view.render(text: " Product #{product[0][:name]}") | |
=> " Product video" | |
view.render(inline: "<h1> <%= distance_of_time_in_words(Time.now, Time.now + 15.seconds) %> </h1>") | |
=> "<h1> less than a minute </h1>" | |
view.render(inline: "<h1> <%= select_date(DateTime.now + 6.days) %> </h1>") | |
=> "<h1> <select id=\"date_year\" name=\"date[year]\">\n<option value=\"2010\">2010</option>\n<option value=\"2011\">2011</option>\n<option value=\"2012\">2012</option>\n<option value=\"2013\">2013</option>\n<option value=\"2014\">2014</option>\n<option selected=\"selected\" value=\"2015\">2015</option>\n<option value=\"2016\">2016</option>\n<option value=\"2017\">2017</option>\n<option value=\"2018\">2018</option>\n<option value=\"2019\">2019</option>\n<option value=\"2020\">2020</option>\n</select>\n<select id=\"date_month\" name=\"date[month]\">\n<option selected=\"selected\" value=\"1\">January</option>\n<option value=\"2\">February</option>\n<option value=\"3\">March</option>\n<option value=\"4\">April</option>\n<option value=\"5\">May</option>\n<option value=\"6\">June</option>\n<option value=\"7\">July</option>\n<option value=\"8\">August</option>\n<option value=\"9\">September</option>\n<option value=\"10\">October</option>\n<option value=\"11\">November</option>\n<option value=\"12\">December</option>\n</select>\n<select id=\"date_day\" name=\"date[day]\">\n<option value=\"1\">1</option>\n<option value=\"2\">2</option>\n<option value=\"3\">3</option>\n<option value=\"4\">4</option>\n<option value=\"5\">5</option>\n<option value=\"6\">6</option>\n<option value=\"7\">7</option>\n<option value=\"8\">8</option>\n<option value=\"9\">9</option>\n<option value=\"10\">10</option>\n<option value=\"11\">11</option>\n<option value=\"12\">12</option>\n<option value=\"13\">13</option>\n<option value=\"14\">14</option>\n<option value=\"15\">15</option>\n<option value=\"16\">16</option>\n<option value=\"17\">17</option>\n<option value=\"18\">18</option>\n<option value=\"19\">19</option>\n<option value=\"20\">20</option>\n<option value=\"21\">21</option>\n<option value=\"22\">22</option>\n<option value=\"23\">23</option>\n<option value=\"24\">24</option>\n<option value=\"25\">25</option>\n<option value=\"26\">26</option>\n<option value=\"27\">27</option>\n<option value=\"28\">28</option>\n<option selected=\"selected\" value=\"29\">29</option>\n<option value=\"30\">30</option>\n<option value=\"31\">31</option>\n</select>\n </h1>" | |
view.render(inline: "<h1> <%= check_box_tag 'accept' %> </h1>") | |
=> "<h1> <input id=\"accept\" name=\"accept\" type=\"checkbox\" value=\"1\" /> </h1>" | |
view.render(inline: '<h1> <%= number_to_currency(1234567890.50) %> </h1>') | |
=> "<h1> $1,234,567,890.50 </h1>" | |
view.render(inline: '<h1> <%= number_to_phone(1235551234) %> </h1>') | |
=> "<h1> 123-555-1234 </h1>" | |
body = "<a href='http://rubyonrails.org'>Ruby on Rails</a>" | |
view.render(inline: "<h1> <%= strip_links(body) %> </h1>", locals: {body: body}) | |
=> "<h1> Ruby on Rails </h1>" | |
body = "<b>Bold</b> no more! <a href='more.html'>See more</a>" | |
view.render(inline: "<h1> <%= strip_tags(body) %> </h1>", locals: {body: body}) | |
=> "<h1> Bold no more! See more </h1>" | |
body = "alert('All is good')" | |
view.render(inline: "<h1> <%= javascript_tag(body) %> </h1>", locals: {body: body}) | |
"<h1> <script>\n//<![CDATA[\nalert('All is good')\n//]]>\n</script> </h1>" | |
Sanitization | |
Most text helpers by default sanitize the given content, but do not escape it. This means HTML tags will appear in the page but all malicious code will be removed. Let's look at some examples using the simple_format method: | |
body = '<a href="javascript:alert(\'no!\')">Example</a> | |
=> ActionView::Base.new.render(inline: "<%= simple_format(body) %>", locals: {body: body}) | |
=> "<p><a>Example</a></p>" | |
load 'builder.rb' | |
body = <<-EOT | |
xml.em("emphasized") | |
xml.em { xml.b("emph & bold") } | |
xml.a("A Link", "href" => "http://rubyonrails.org") | |
xml.target("name" => "compile", "option" => "fast") | |
EOT | |
ActionView::Base.new.render(:inline => eval(body),formats: :xml, handlers: :builder) | |
=> "<inspect/>\n<inspect/>\n<em>emphasized</em>\n<em>\n <b>emph & bold</b>\n</em>\n<a href=\"http://rubyonrails.org\">A Link</a>\n<target name=\"compile\" option=\"fast\"/>\n<em>emphasized</em>\n<em>\n <b>emph & bold</b>\n</em>\n<a href=\"http://rubyonrails.org\">A Link</a>\n<target name=\"compile\" option=\"fast\"/>\n" | |
ActionView::Base.new.render(:inline => eval(body),formats: :json, handlers: :rabl) | |
Rabl::Builder.new(nil, { :attributes => [ { :name => :name } ] }) | |
xml.em("emphasized") | |
xml.em { xml.b("emph & bold") } | |
xml.a("A Link", "href" => "http://rubyonrails.org") | |
xml.target("name" => "compile", "option" => "fast") | |
<%- headers = ['Status', 'Amount'] -%> | |
<%= CSV.generate_line headers %> | |
<%= CSV.generate_line([object.status, object.amount]) %> | |
<% if object.payment > 100 %> | |
input_data = '5 debe ser <%= 4 + 1 %>'; | |
data = escape(input_data); | |
data = input_data.replace("+", "%2B"); | |
data = input_data.replace("/", "%2F"); | |
<% else %> | |
input_data = 'pago insuficiente'; | |
<% end %> | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment