Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

Ruby Building Web Apps with Sinatra Finishing Touches Summary

Posted by roberthopman
roberthopman
16,502 Points

Sinatra: 2 parts: 1. about <%= escape @content %> 2 about the additional exercise of the overview.

Hey there,

Part 1 Since I've implemented in wiki.rb the following

def escape(string)
  Rack::Utils.escape_html(string)
end

the output of the <%= escape @content %> look like code...

first, is this correct? second, how can I fix this? third, is the CGI fix also safe in terms of security: I've looked into nokogiri and CGI and tried those. Currently the only thing that works is:

def raw_text(string)
  CGI.escapeHTML(string)
end

and then replacing escape @content with raw_text @content

cc Jay McGavren

part 2

my overview.rb lookes like this, this might be useful for other people as well :)

<h3>All pages</h3>
<ul>
  <% d = Dir.entries("pages")   %>
  <% d.each do |page| %>
    <% page = File.basename("#{page}", ".txt") %>
    <% if page != '.' && page != '..' %>
      <a href="/<%= page %>">
        <%= page %>
      </a>
    <% end %>
  <% end %>
</ul>
Jay McGavren
Jay McGavren
Treehouse Teacher
Jay McGavren
Jay McGavren
Treehouse Teacher

Robert Hopman There's a lot of room for miscommunication here, so, to be specific: I'm assuming that you've made an entry like this in your wiki:

<script>alert('boo');</script>

If you viewed that without embedding <%= escape @content %>in your template, you should get an alert dialog saying "boo". However, after you embed <%= escape @content %> in your template, what you see should look like the original text you entered (<script>alert('boo');</script>). And that's OK. As long as you don't see an actual dialog, it means the JavaScript code is not running, which is what you want.

Sam Donald
Sam Donald
36,305 Points
Sam Donald
Sam Donald
36,305 Points

Also you can move your escape method into the save_content method so the users input is escaped on submit, before it even makes it into the database.

This has the benefit of less code, and keeping your .erb files more readable. IMO