Skip to content

Instantly share code, notes, and snippets.

@sanchojaf
Last active August 29, 2015 14:14
Show Gist options
  • Save sanchojaf/dc1a28606120d5a56099 to your computer and use it in GitHub Desktop.
Save sanchojaf/dc1a28606120d5a56099 to your computer and use it in GitHub Desktop.
play_with_action_view
view = ActionView::Base.new
view.formats
=> [:html, :text, :js, :css, :ics, :csv, :vcf, :png, :jpeg, :gif, :bmp, :tiff, :mpeg, :xml, :rss, :atom, :yaml, :multipart_form, :url_encoded_form, :json, :pdf, :zip]
ActionView::Base.new.render(inline: "Hello world!")
=> "Hello world!"
view.render(inline: "<h1> <%= 4 +1 %> Hello world!</h1>")
=> "<h1> 5 Hello world!</h1>"
product = [{:name=>"video", :price=>100, :sku=>"A10001"}, {:name=>"silla", :price=>20, :sku=>"B20001"}]
view.render(inline: "<h1> Product <%= product[0][:name] %>", locals: {product: product})
=> "<h1> Product video</h1>"
view.render(text: " Product #{product[0][:name]}")
=> " Product video"
view.render(inline: "<h1> <%= distance_of_time_in_words(Time.now, Time.now + 15.seconds) %> </h1>")
=> "<h1> less than a minute </h1>"
view.render(inline: "<h1> <%= select_date(DateTime.now + 6.days) %> </h1>")
=> "<h1> <select id=\"date_year\" name=\"date[year]\">\n<option value=\"2010\">2010</option>\n<option value=\"2011\">2011</option>\n<option value=\"2012\">2012</option>\n<option value=\"2013\">2013</option>\n<option value=\"2014\">2014</option>\n<option selected=\"selected\" value=\"2015\">2015</option>\n<option value=\"2016\">2016</option>\n<option value=\"2017\">2017</option>\n<option value=\"2018\">2018</option>\n<option value=\"2019\">2019</option>\n<option value=\"2020\">2020</option>\n</select>\n<select id=\"date_month\" name=\"date[month]\">\n<option selected=\"selected\" value=\"1\">January</option>\n<option value=\"2\">February</option>\n<option value=\"3\">March</option>\n<option value=\"4\">April</option>\n<option value=\"5\">May</option>\n<option value=\"6\">June</option>\n<option value=\"7\">July</option>\n<option value=\"8\">August</option>\n<option value=\"9\">September</option>\n<option value=\"10\">October</option>\n<option value=\"11\">November</option>\n<option value=\"12\">December</option>\n</select>\n<select id=\"date_day\" name=\"date[day]\">\n<option value=\"1\">1</option>\n<option value=\"2\">2</option>\n<option value=\"3\">3</option>\n<option value=\"4\">4</option>\n<option value=\"5\">5</option>\n<option value=\"6\">6</option>\n<option value=\"7\">7</option>\n<option value=\"8\">8</option>\n<option value=\"9\">9</option>\n<option value=\"10\">10</option>\n<option value=\"11\">11</option>\n<option value=\"12\">12</option>\n<option value=\"13\">13</option>\n<option value=\"14\">14</option>\n<option value=\"15\">15</option>\n<option value=\"16\">16</option>\n<option value=\"17\">17</option>\n<option value=\"18\">18</option>\n<option value=\"19\">19</option>\n<option value=\"20\">20</option>\n<option value=\"21\">21</option>\n<option value=\"22\">22</option>\n<option value=\"23\">23</option>\n<option value=\"24\">24</option>\n<option value=\"25\">25</option>\n<option value=\"26\">26</option>\n<option value=\"27\">27</option>\n<option value=\"28\">28</option>\n<option selected=\"selected\" value=\"29\">29</option>\n<option value=\"30\">30</option>\n<option value=\"31\">31</option>\n</select>\n </h1>"
view.render(inline: "<h1> <%= check_box_tag 'accept' %> </h1>")
=> "<h1> <input id=\"accept\" name=\"accept\" type=\"checkbox\" value=\"1\" /> </h1>"
view.render(inline: '<h1> <%= number_to_currency(1234567890.50) %> </h1>')
=> "<h1> $1,234,567,890.50 </h1>"
view.render(inline: '<h1> <%= number_to_phone(1235551234) %> </h1>')
=> "<h1> 123-555-1234 </h1>"
body = "<a href='http://rubyonrails.org'>Ruby on Rails</a>"
view.render(inline: "<h1> <%= strip_links(body) %> </h1>", locals: {body: body})
=> "<h1> Ruby on Rails </h1>"
body = "<b>Bold</b> no more! <a href='more.html'>See more</a>"
view.render(inline: "<h1> <%= strip_tags(body) %> </h1>", locals: {body: body})
=> "<h1> Bold no more! See more </h1>"
body = "alert('All is good')"
view.render(inline: "<h1> <%= javascript_tag(body) %> </h1>", locals: {body: body})
"<h1> <script>\n//<![CDATA[\nalert('All is good')\n//]]>\n</script> </h1>"
Sanitization
Most text helpers by default sanitize the given content, but do not escape it. This means HTML tags will appear in the page but all malicious code will be removed. Let's look at some examples using the simple_format method:
body = '<a href="javascript:alert(\'no!\')">Example</a>
=> ActionView::Base.new.render(inline: "<%= simple_format(body) %>", locals: {body: body})
=> "<p><a>Example</a></p>"
load 'builder.rb'
body = <<-EOT
xml.em("emphasized")
xml.em { xml.b("emph & bold") }
xml.a("A Link", "href" => "http://rubyonrails.org")
xml.target("name" => "compile", "option" => "fast")
EOT
ActionView::Base.new.render(:inline => eval(body),formats: :xml, handlers: :builder)
=> "<inspect/>\n<inspect/>\n<em>emphasized</em>\n<em>\n <b>emph &amp; bold</b>\n</em>\n<a href=\"http://rubyonrails.org\">A Link</a>\n<target name=\"compile\" option=\"fast\"/>\n<em>emphasized</em>\n<em>\n <b>emph &amp; bold</b>\n</em>\n<a href=\"http://rubyonrails.org\">A Link</a>\n<target name=\"compile\" option=\"fast\"/>\n"
ActionView::Base.new.render(:inline => eval(body),formats: :json, handlers: :rabl)
Rabl::Builder.new(nil, { :attributes => [ { :name => :name } ] })
xml.em("emphasized")
xml.em { xml.b("emph & bold") }
xml.a("A Link", "href" => "http://rubyonrails.org")
xml.target("name" => "compile", "option" => "fast")
<%- headers = ['Status', 'Amount'] -%>
<%= CSV.generate_line headers %>
<%= CSV.generate_line([object.status, object.amount]) %>
<% if object.payment > 100 %>
input_data = '5 debe ser <%= 4 + 1 %>';
data = escape(input_data);
data = input_data.replace("+", "%2B");
data = input_data.replace("/", "%2F");
<% else %>
input_data = 'pago insuficiente';
<% end %>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment