I’ve been talking (and hyping) Rails for so long that it’s all wierd to finally have it out in the open. Mind you, we’re still not talking about a 1.0 release, but the package currently on offer is still something I’m very comfortable to share with the world. Undoubtedly, there could be more documentation and more examples, but Real Artists Ship and this piece will grow in public. Enjoy Rails!

Documentation, download: http://www.rubyonrails.org

What is Rails?

it seem waiting was worth it
Anyway, about the (uber impressive) ten minutes video on the main
page, a different format would be appreciated cause quicktime does not
mix well with windows boxes and small monitors

Oh, I was nearly forgetting,
woowoo!

David Heinemeier Hansson wrote:

I’ve been talking (and hyping) Rails for so long that it’s all wierd to finally have it out in the open. Mind you, we’re still not talking about a 1.0 release, but the package currently on offer is still something I’m very comfortable to share with the world. Undoubtedly, there could be more documentation and more examples, but Real Artists Ship and this piece will grow in public. Enjoy Rails!

The 10 minute video is really impressive. But after browsing through the documentation I haven't found an answer to one question: what does happen with XML special chars like <> when you write <%= @post.text %>?

Or my linux box I can coax mplayer to play the video but not the
audio. I'd really like to watch that longer video (which is what I'm
referring about the audio), mpg format would be greatly appreciated!

To stay on topic, I've been watching Rails for a few weeks since I
came across it and I'm delighted that the release has finally come. I
look forward to playing around with it at work on Monday.

Thanks
-Scott

I believe the correct expression is woohoo! (not woowoo, unless
perhaps you also find David attractive

The 10 minute video is really impressive. But after browsing through the documentation I haven't found an answer to one question: what does happen with XML special chars like <> when you write <%= @post.text %>?

I'm not sure I understand the question, but everything within a <% %> block is interpreted as regular Ruby code through ERb (the Ruby-version of eRuby). You can read more about how the Action View works in http://ap.rubyonrails.org/classes/ActionView.html\.

Every other tag is left untouched by the View. So basically the templates are plain text files that can hold anything (HTML, XML, LaTeX, emails) sprinkled with Ruby embeddings to add dynamic behavior.

Carl Youngblood wrote:

gabriele renzi wrote:
> Oh, I was nearly forgetting,
> woowoo!

I believe the correct expression is woohoo! (not woowoo [...]

Rails => Train noise ?

+1 for woowoo! (YMMV

David Heinemeier Hansson wrote:

The 10 minute video is really impressive. But after browsing through the documentation I haven't found an answer to one question: what does happen with XML special chars like <> when you write <%= @post.text %>?

I'm not sure I understand the question, but everything within a <% %> block is interpreted as regular Ruby code through ERb

Sorry that it wasn't clear, I wanted to know what happened when @post.text contains characters like ">" or "&". (How) are they converted to entities?

In this days I'm gettin wrong almost everything.
But in this case I meant this, everybody loves old steam locomotives

The 10 minute video is really impressive. But after browsing through the documentation I haven't found an answer to one question: what does happen with XML special chars like <> when you write <%= @post.text %>?

I'm not sure I understand the question, but everything within a <% %> block is interpreted as regular Ruby code through ERb

Sorry that it wasn't clear, I wanted to know what happened when @post.text contains characters like ">" or "&". (How) are they converted to entities?

Ahh. Rails offers no built-in method for that, but perhaps it should in the TextHelper[1]. You can, however, just use CGI.escapeHTML[2] like this:

<%= CGI.escapeHTML(@post.text) %>

[1] http://ap.rubyonrails.org/classes/ActionView/Helpers/TextHelper.html
[2] http://www.ruby-doc.org/stdlib/libdoc/cgi/rdoc/classes/CGI.html#M000003\.

David Heinemeier Hansson wrote:

The 10 minute video is really impressive. But after browsing through the documentation I haven't found an answer to one question: what does happen with XML special chars like <> when you write <%= @post.text %>?

I'm not sure I understand the question, but everything within a <% %> block is interpreted as regular Ruby code through ERb

Sorry that it wasn't clear, I wanted to know what happened when @post.text contains characters like ">" or "&". (How) are they converted to entities?

Ahh. Rails offers no built-in method for that, but perhaps it should in the TextHelper[1]. You can, however, just use CGI.escapeHTML[2] like this:

<%= CGI.escapeHTML(@post.text) %>

I see. This is always what I don't like about Eruby; with Kwartz (and most other templating systems) every variable I include with #{variable}# is escaped automatically, and it is possible to disable escaping by writing #{ X(variable) }#. As 99% of the variables usually are not meant to include HTML code anyway, this makes templates look clearer and is less error-prone.

Maybe it would make sense to extend Eruby/Erb/whatever with another tag that wraps the content in CGI.escapeHTML? For example
{%= @post.text %}
instead of
<%= CGI.escapeHTML( @post.text ) %>
?

I think a better solution if you wanted something like this would be
to alter rails so it changes the variables in the @post object before
displaying them. But I'm not sure everyone would want this behavior.

Carl Youngblood wrote:

I think a better solution if you wanted something like this would be
to alter rails so it changes the variables in the @post object before
displaying them.

No, something like this should be done at the template level. If I need both the escaped and the unescaped string or want to apply some processing to the string in the template it's getting very ugly.

I'm surprised that there is no easy way to deal with this issue; after seeing all these examples with date types being automatically displayed as a selection form etc. I would have expected Rails to take care of properly escaping simple strings.

Carl Youngblood wrote:

I think a better solution if you wanted something like this would be
to alter rails so it changes the variables in the @post object before
displaying them. But I'm not sure everyone would want this behavior.

Maybe it would make sense to extend Eruby/Erb/whatever with another tag
that wraps the content in CGI.escapeHTML? For example
{%= @post.text %}
instead of
<%= CGI.escapeHTML( @post.text ) %>
?

.

Well, here's a quick hack that anyone could do in their code to make the autoescaping (and explicit non-escaping) possible:

   require 'erb'
   require 'cgi'

   class String
     NO_ESC_REGEX = /^NOESCAPE:(.*)/

     def html_safe_concat( text )
       if text =~ NO_ESC_REGEX
         concat($1)
       else
         concat(CGI.escapeHTML(text))
       end
     end
   end

   class ERB
     alias :old_set_eoutvar :set_eoutvar

     def set_eoutvar(compiler, eoutvar='_erbout')
       old_set_eoutvar( compiler, eoutvar )
       compiler.put_cmd = "#{eoutvar}.html_safe_concat"
     end
   end

   X = "NOESCAPE:"
   @something = "<escape \"me\" baby>"
   @notme = "<b>not me, \"please\"</b>"

   erb = ERB.new "This is <%=@something%> with text, and <%=X+@notme%>"

   p erb.result
   # -> "This is &lt;escape &quot;me&quot; baby&gt; with text, and <b>not me, \"please\"</b>"

Not perfect, obviously, but it does work.

I'm surprised that there is no easy way to deal with this issue; after seeing all these examples with date types being automatically displayed as a selection form etc. I would have expected Rails to take care of properly escaping simple strings.

I guess it depends on what kind of application you're building. For content-heavy applications, such as weblogs, discussion board, content management systems, etc, it's often the case that you _don't_ want the strings escaped. And even if you don't want them escaped, it's likely that you need more advanced escaping anyway.

But I agree that CGI.escapeHTML is a bit rich, so I'll add some kind of shorther wrapper for that to the TextHelper in the next version. No need to wait, though. Edit vendor/actionpack/lib/action_view/helpers/text_helper.rb and add this method:

   def escape(string)
     CGI.escapeHTML(string)
   end

If you think that's two much to type, perhaps also:

   alias_method :e, :escape

Then you're all ready to rock with <%= e(@post.text) %>

Well, here's a quick hack that anyone could do in their code to make the autoescaping (and explicit non-escaping) possible:

Not perfect, obviously, but it does work.

That's kinda sexy. I'd certainly welcome a switch-on addition of that to Action Pack. Perhaps something like:

   ActionController::Base.auto_escape_template_prints = true

Following the lines of existing switches, like:

   ActionController::Base.view_controller_internals = true

Cool stuff, Jamis!

David Heinemeier Hansson wrote:

I'm surprised that there is no easy way to deal with this issue; after
seeing all these examples with date types being automatically
displayed as a selection form etc. I would have expected Rails to take
care of properly escaping simple strings.

I guess it depends on what kind of application you're building. For
content-heavy applications, such as weblogs, discussion board, content
management systems, etc, it's often the case that you _don't_ want the
strings escaped.

In every web application I have built so far there was barely a variable
that needed to be displayed without escaping. Take a discussion board:
you certainly want to escape the author name, email address, subject,
and most of the times the text of the post. If you don't do this
you get something like PhpBB where they discover a new XSS possibility
every other day.

Especially when there is a strict division between data and template
code (like in Rails) I would expect unescaped strings to be an
exception.

And even if you don't want them escaped, it's likely
that you need more advanced escaping anyway.

Why? As long as you make consistent use of one charset there is no need
to escape anything else than XML special characters.

But I agree that CGI.escapeHTML is a bit rich, so I'll add some kind of
shorther wrapper for that to the TextHelper in the next version.

That's good. I'm looking forward to doing my first project with Rails.

If you include ERB::Util then it includes html escape. Use it in your
templates like this

<%h= puts "Some text with <characters>" %>

dominic sisneros wrote:

If you include ERB::Util then it includes html escape. Use it in your
templates like this

<%h= puts "Some text with <characters>" %>

Could you give a longer example? I tried the following and didn't get what I expected...

   require 'erb'
   include ERB::Util

   @text = "something with <brackets> and \"quotes\""
   erb = ERB.new( "This is <%h= @text %>" )
   p erb.result
   #-> "This is "

- Jamis

Sorry, I tried to do it from memory and got the format juxtaposed.

Instead of <%h= "something with <xml> %>

should be <%=h "something with <xml> %>

See below

require 'erb'

class Foo
   include ERB::Util

   SCRIPT = <<EOS
<h1><%=h @name %></h1>
<ul>
<% ary.each do |x|%>
<li><%=h x %></li>
<% end %>
</ul>
EOS
   def initialize(name)
     @name = name
     @erb = ERB.new(SCRIPT)
   end

   def foo(ary)
     @erb.result(binding)
   end
end

it = Foo.new('foo')
puts it.foo([1,2,'<dia>'])