Rails 3 XSS Escaping Breaks Plugins - xss

Is there a relatively easy solution to Rails 3 auto escaping to not break view-oriented plugins? I'm using table_builder which has an api along the lines of:
<%= calendar_for(args) do |table| %>
...
<% end %>
Unfortunately, rails goes through and escapes all the html generated from that plugin. Is there an easy way to avoid this behavior that doesn't involve me hacking on the plugin itself? I can't really wrap it in a raw() from what I know because its an erb block.

take care which fork you put in your gemfile, this one works with rails3 as a gem like demonstrated in the railscast: http://railscasts.com/episodes/213-calendars
https://github.com/jchunky/table_builder
use this in your gemfile
gem 'table_builder', '0.0.3', :git => 'git://github.com/jchunky/table_builder.git'

Related

NOT rendering searched items in Search box used thinking-sphinx Gem

as i am a beginner to rails...
i have installed gem 'thinking-sphinx' (3.1.3, 2.0.10) in my file using rails4
and rvm 2.0.0
i wrote this action in my controller
and inside index page added form_tag
in the same file added this script
in search box its not showing searched results
but in terminal it is showing as
routes.rb
resources :patients do member do
put :update_status
end
collection do
get :search get :search_sphinx
end

The gem simple_form displays numbers instead of associated stings, when using the enums introduced in Rails 4.1

Rails 4.1 introduced enum, which don't play well with the latest version of simple_form. When used with associations, simple_form displays numbers instead of the associated stings. Any solutions or work arounds?
Add the following lines to your Gemfile
# Help ActiveRecord::Enum feature to work fine with I18n and simple_form.
gem 'enum_help'
Learn more here

Asset pipelining for individual view with fingerprinting

I'm using rails 4.0 with ruby 2.0.
And i've 100's of js and css files. I dont want them to load on all pages.
So i removed require_tree in application.js and application.css
I include the required css and js using
<% javascript_include_tag "js_file" %>
<% stylesheet_include_tag "css_file" %>
My questions are
1. Do i need to precompile assets?
2. Will they be formed into a single file and sent on client side?
3. What is and how can turbo_link gem help me here?
4. Should i use controller based assets and use their appropriate cs and js file for inclusion?
1. Do I need to precompile assets?
No, but it entirely depends on your production environment. Services such as Heroku require precompiled assets
2. Will they be formed into a single file and sent on client side?
The assets which are required in the application.css will be merged into that file. However, if you have controller-specific css/js, and call them from your layout accordingly, they should be compiled into their respective files
3. What is and how can turbo_link gem help me here?
Turbolinks is a gem designed to help boost page load times, by cutting down the number of times the elements have to be loaded. Basically, if you're using the same controller, turbolinks will just replace the part of your page with an Ajax request
So nope, Turbolinks won't help you with compilation / organization of your assets :)
4. Should I use controller based assets and use their appropriate cs and js file for inclusion?
It depends on your application. The first question I would have is.... why do you have 100's of CSS & JS files? After you find the answer to this, you can then work on making the system work to the most efficient requirements

Rails 4 Modifying Scaffold Output. Removing Test files

I am attempting to follow the guide http://guides.rubyonrails.org/generators.html. In section 5 Customizing Your Workflow, it discusses modifying this code within config/application.rb:
config.generators do |g|
g.orm :active_record
g.template_engine :erb
g.test_framework :test_unit, fixture: true
end
However, when I open this file, I do not see these lines!
My ruby version is 1.9.3p327, and my rails version is 4.0.0
Are these lines located in another file? Did I generate my application incorrectly?
That used to be commented out by default in Rails 3, it was removed altogether in Rails 4. I think you should be okay if you just add it in manually.
Ryan has a few words about that here: http://asciicasts.com/episodes/216-generators-in-rails-3

Mercury Editor with rails4

i'm wondering how to use mercury gem with rails4.
i tried to follow guide http://asciicasts.com/episodes/296-mercury-editor
if i load page within editor ( /editor/pages/1) i see error in javascript console:
Uncaught TypeError: Cannot read property 'konqueror' of undefined
and mercury-region isn't visible at page at all
Gemfile:
gem 'mercury-rails', github: 'jejacks0n/mercury'
app/views/pages/show.html.erb:
<div id="page_body" class="mercury-region" data-type="editable">
<%= raw(#page.body) %>
</div>
after some delay i get javascript alert with message:
Mercury.PageEditor failed to load: Region type is malformed, no data-type provided, or "Full" is unknown for the "page_body" region.
Please try refreshing.
mercury is utilising jquery.browser this method is deprecated in the most recent update.
If you include gem 'jquery-migrate-rails' in your gemfile that you should work favourably until mercury updates it's code to the latest jquery or at least 1.9
You'll need to add
//= require jquery-migrate-min
to your application.js after jquery is loaded.
I just had the same issue. I describe it better in my own question here, but basically the issue comes from a deprecated jquery method calling 'konqueror'. I don't think it had anything to do with your app being in rails 4 btw. I'm in gem 'rails', '3.2.13'
I'd up-vote the question but apparently I need more reputation. hint, hint :)
I had a similar issue with this because of turbolinks. I just disabled its JS in applications.js:
//= require turbolinks
~to:
// require turbolinks
-until I figure out how to get them to play nicely together. At least for the Mercury pages, have to poke them somehow.
I have some issues too, it does seem to be an issue with Turbolinks. I was able to get by it by removing the line:
<%= javascript_include_tag 'application', 'data-turbolinks-track' => true %>
from my application.html.erb file, not sure if this will cause issues down the road