This course will be retired on June 1, 2025.
Heads up! To view this whole video, sign in with your Courses account or enroll in your free 7-day trial. Sign In Enroll
Start a free Courses trial
to watch this video
You've just built a Sinatra app completely from scratch. Let's review all the concepts we had to learn to get here.
Learning More
Sinatra has lots more functionality than we can cover in this course. You can learn more on the official Sinatra site.
Security
Because we include the contents of a text file into the show.erb
page verbatim, malicious users could embed HTML code and even JavaScript into the page, which will be run when other users view the page. For example, try entering the following as a page's content:
<script>alert('boo');</script>
When another user views that page, a JavaScript alert dialog will appear. And if a malicious user can do that, they can do other nasty things as well.
We can prevent this by escaping any HTML code that appears in a page's content - replacing characters that would normally be treated as HTML markup with entities that are shown in the browser instead. For example, the above malicious code would look like this when it's escaped:
<script>alert('boo');</script>
But it would look exactly like the original code when viewed in a browser. (It just wouldn't be executed or treated as markup.)
To escape any HTML that might appear in a string, we can call the Rack::Utils.escape_html
method on that string. We can add a method at the top of the wiki.rb
file that does this. There's a method in Rails named h
that does this same thing, so we'll name this method h
as well:
def h(string)
Rack::Utils.escape_html(string)
end
The Rack::Utils
library gets loaded when Sinatra does, so we don't need to require
it or anything.
Now that our new h
method is defined within wiki.rb
, we can call it within the show.erb
template. We can replace this line:
<p><%= @content %></p>
...with this:
<p><%= h @content %></p>
Restart the app, and try reloading the page that you embedded JavaScript code within. You won't get a dialog message anymore. Instead, the code will be visible exactly as it was entered in the page edit form.
It's generally a good idea to assume that users may enter malicious data into any form you provide to them. Escaping HTML is just one of many techniques developers use to limit the harm that can be done.
Project Ideas
Looking to practice what you've learned? Here are some project ideas.
- In the wiki app, add a list of all the available wiki pages. The
Dir
class from Ruby core has aneach
method that will let you get a list of all the files in thepages/
subdirectory; you can use those to build clickable links. - See if you can replicate the guestbook app from this course's code challenges. Add a feature to view a list of all the signatures, then give users the ability to create, update, or delete signatures.
Related Discussions
Have questions about this video? Start a discussion with the community and Treehouse staff.
Sign upRelated Discussions
Have questions about this video? Start a discussion with the community and Treehouse staff.
Sign up
You need to sign up for Treehouse in order to download course files.
Sign upYou need to sign up for Treehouse in order to set up Workspace
Sign up