Welcome to the Treehouse Community
Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.
Looking to learn something new?
Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.
Start your free trialroberthopman
16,502 PointsSinatra: 2 parts: 1. about <%= escape @content %> 2 about the additional exercise of the overview.
Hey there,
Part 1 Since I've implemented in wiki.rb the following
def escape(string)
Rack::Utils.escape_html(string)
end
the output of the <%= escape @content %> look like code...
first, is this correct? second, how can I fix this? third, is the CGI fix also safe in terms of security: I've looked into nokogiri and CGI and tried those. Currently the only thing that works is:
def raw_text(string)
CGI.escapeHTML(string)
end
and then replacing escape @content with raw_text @content
cc Jay McGavren
part 2
my overview.rb lookes like this, this might be useful for other people as well :)
<h3>All pages</h3>
<ul>
<% d = Dir.entries("pages") %>
<% d.each do |page| %>
<% page = File.basename("#{page}", ".txt") %>
<% if page != '.' && page != '..' %>
<a href="/<%= page %>">
<%= page %>
</a>
<% end %>
<% end %>
</ul>
Sam Donald
36,305 PointsAlso you can move your escape
method into the save_content
method so the users input is escaped on submit, before it even makes it into the database.
This has the benefit of less code, and keeping your .erb
files more readable. IMO
Jay McGavren
Treehouse TeacherJay McGavren
Treehouse TeacherRobert Hopman There's a lot of room for miscommunication here, so, to be specific: I'm assuming that you've made an entry like this in your wiki:
<script>alert('boo');</script>
If you viewed that without embedding
<%= escape @content %>
in your template, you should get an alert dialog saying "boo". However, after you embed<%= escape @content %>
in your template, what you see should look like the original text you entered (<script>alert('boo');</script>
). And that's OK. As long as you don't see an actual dialog, it means the JavaScript code is not running, which is what you want.