Glad You're Ready. Let's Get Started!

Let us know how we can contact you.

Thank you!

We'll respond shortly.

  • Blog Navigation
NY Standup 6/6/2011: Let's get dangerous.

Interesting Things

  • Using the result of render as an attribute: If you call render in a view, you’ll get back a SafeBuffer, which acts like a String but is trusted and allowed to contain HTML which will not be escaped when it’s placed on the page. If you use this value in a DOM attribute, however, it will be escaped:

    - template = render 'ajaxy_thing/template'
    %ul#ajaxy_things{template: template}

    If it weren’t escaped, the contents of template would probably break out of the ul tag early and mess things up.

    One pair tried to extract code like this into a helper, and then do something like:

    template = render('ajaxy_thing/template')
    content_tag(:ul, id: "ajaxy_things", template: template)

    Here, it turns out, template is so trusted that its contents are inserted without escaping, which breaks the ul tag. It becomes something like:

    which is clearly no good. (In fact, it’s so weird that I had to turn that snippet into an image just to get the blog to display it.)

    When you have a String which is untrusted and you don’t want it to be escaped, you call #html_safe on it. This is the opposite, and it’s not clear how best to do it. The pair decided to make a new String out of it, which worked:

    template ='ajaxy_thing/template')) # The new String is not html_safe
  • TeamCity 6.5 : TeamCity 6.5 is out, but it breaks RVM support. It will return in 6.5.1.


  • I think adding a .html_unsafe to string or making a h style helper that ignores html_safe would be a bit cleaner

Share This