Summary

Learning More

Sinatra has lots more functionality than we can cover in this course. You can learn more on the official Sinatra site.

Security

Because we include the contents of a text file into the show.erb page verbatim, malicious users could embed HTML code and even JavaScript into the page, which will be run when other users view the page. For example, try entering the following as a page's content:

<script>alert('boo');</script>

When another user views that page, a JavaScript alert dialog will appear. And if a malicious user can do that, they can do other nasty things as well.

We can prevent this by escaping any HTML code that appears in a page's content - replacing characters that would normally be treated as HTML markup with entities that are shown in the browser instead. For example, the above malicious code would look like this when it's escaped:

<script>alert('boo');</script>

But it would look exactly like the original code when viewed in a browser. (It just wouldn't be executed or treated as markup.)

To escape any HTML that might appear in a string, we can call the Rack::Utils.escape_html method on that string. We can add a method at the top of the wiki.rb file that does this. There's a method in Rails named h that does this same thing, so we'll name this method h as well:

def h(string)
  Rack::Utils.escape_html(string)
end

The Rack::Utils library gets loaded when Sinatra does, so we don't need to require it or anything.

Now that our new h method is defined within wiki.rb, we can call it within the show.erb template. We can replace this line:

<p><%= @content %></p>

...with this:

<p><%= h @content %></p>

Restart the app, and try reloading the page that you embedded JavaScript code within. You won't get a dialog message anymore. Instead, the code will be visible exactly as it was entered in the page edit form.

It's generally a good idea to assume that users may enter malicious data into any form you provide to them. Escaping HTML is just one of many techniques developers use to limit the harm that can be done.

Project Ideas

Looking to practice what you've learned? Here are some project ideas.

• In the wiki app, add a list of all the available wiki pages. The Dir class from Ruby core has an each method that will let you get a list of all the files in the pages/ subdirectory; you can use those to build clickable links.
• See if you can replicate the guestbook app from this course's code challenges. Add a feature to view a list of all the signatures, then give users the ability to create, update, or delete signatures.