Rails - Jan 2006 - ERROR: undefined method `h'' for ERB::Util:Module

ERROR: undefined method `h'' for ERB::Util:Module

i get above error when i use

  ERB::Util.h(content)

in my controller''s action.

can any one one tell me how to use this ''h'' method within
controller?

thanks,
Jigar Gosar
http://jigar.org


-- 
Posted via http://www.ruby-forum.com/.

Jigar Gosar wrote:
> ERROR: undefined method `h'' for ERB::Util:Module
> 
> i get above error when i use
> 
>   ERB::Util.h(content)
> 
> in my controller''s action.
> 
> can any one one tell me how to use this ''h'' method within
controller?
> 
> thanks,
> Jigar Gosar
> http://jigar.org
<%= h content %>

_Kevin

-- 
Posted via http://www.ruby-forum.com/.

Kevin Olbrich wrote:
> Jigar Gosar wrote:
>> ERROR: undefined method `h'' for ERB::Util:Module
>> 
>> i get above error when i use
>> 
>>   ERB::Util.h(content)
>> 
>> in my controller''s action.
>> 
>> can any one one tell me how to use this ''h'' method
within controller?
>> 
>> thanks,
>> Jigar Gosar
>> http://jigar.org
> 
> <%= h content %>
this i m aware of this,
i want to use it in controller''s action not view.
> 
> _Kevin

-- 
Posted via http://www.ruby-forum.com/.

Why would you want to use that in your controller? I assume that the 
h()''ed content gets outputted via a view. You could call h() at that 
point, couldn''t you?

Jules

-- 
Posted via http://www.ruby-forum.com/.

2006/1/22, Jigar Gosar <jigar.gosar@gmail.com>:
>
> can any one one tell me how to use this ''h'' method within
controller?
>
The long answer is that you''re probably doing something wrong if you
want to escape output in the controller. The controller shouldn''t
handle rendering views itself, and part of rendering the views is
escaping output. So, as Kevin and Jules have said, you should just
pass the unescaped content to the view, and then you can safely escape
*everything* in the view, without worrying about escaping things
twice.

If you are creating HTML in the controller, that shouldn''t be there
either. If you move that into a view helper, you''ll have no problem
accessing html_escape.

But having said that, here is the answer to your question, I just hope
you won''t use it:

Using ERB::Util as a mixin:

  class FishyController < ActionController::Base

    include ERB::Util  # this should look strange to you

    def something_that_should_be_in_the_view

      # you should be surprised to see
      # anything about HTML in a controller

      @html = "<li>#{html_escape("a is >
b")}</li>"

    end

  end

Regards,
Douglas

Douglas Livingstone wrote:
> 2006/1/22, Jigar Gosar <jigar.gosar@gmail.com>:
>>
>> can any one one tell me how to use this ''h'' method
within controller?
>>
> 
> The long answer is that you''re probably doing something wrong if
you
> want to escape output in the controller. The controller shouldn''t
> handle rendering views itself, and part of rendering the views is
> escaping output. So, as Kevin and Jules have said, you should just
> pass the unescaped content to the view, and then you can safely escape
> *everything* in the view, without worrying about escaping things
> twice.
You know, this has been bothering me a bit lately.  If the point of 
doing an html escape on the output is to prevent security problems, 
wouldn''t it make sense for the default action on outputting data for it
to be html_escape''d?

Then one could use a different function to return the unescaped string 
instead.

Sure it will cause all sorts of problems in some ways, but the overall 
result would be that it would force the developer to explicitly return 
unsafe content, so there would be litte to no chance of it leaking out 
by accident.

I suppose that a third way would be for ERb to require either the
''h'' or
''u'' function for it to generate text output.  If you
don''t specify which
one you want, nothing would happen.

_Kevin

-- 
Posted via http://www.ruby-forum.com/.

I don''t think that would be a good idea. You cannot use capture() then.

...
<% @footer = capture do %>
<%= link_to ''Edit'', :action => ''edit'',
:id => @post %>
<% end %>

And in your layout:

<html>
...
<div id="footer">
<%= @footer %>
</div>
...
</html>

Or is there a better way to do this?

Thanks in advance,

Jules

-- 
Posted via http://www.ruby-forum.com/.

Jules Jacobs wrote:
> I don''t think that would be a good idea. You cannot use capture()
then.
> 
> ...
> <% @footer = capture do %>
> <%= link_to ''Edit'', :action =>
''edit'', :id => @post %>
> <% end %>
> 
> And in your layout:
> 
> <html>
> ...
> <div id="footer">
> <%= @footer %>
> </div>
> ...
> </html>
> 
> Or is there a better way to do this?
> 
> Thanks in advance,
> 
> Jules
Not really a problem.  As I see it, you would want to have an ERb 
function to allow unescaped text.

So your view would look like this..

<div id="footer">
<%= unsafe(@footer) %>
</div>

of

....

This way you also get the side benefit that when you read the code, you 
instantly know if there is a potential security issue so you will pay 
more attention to where @footer came from.

I will admit that I don''t understand ERb well enough to know what else 
this approach would break.

it might also be possible to set up erb to use a format like this..

<%unsafe <html> %>

And just have the standard <%= %> force an html escape by default.

_Kevin

-- 
Posted via http://www.ruby-forum.com/.

2006/1/22, Kevin Olbrich <kevin.olbrich@duke.edu>:
>
> You know, this has been bothering me a bit lately.  If the point of
> doing an html escape on the output is to prevent security problems,
> wouldn''t it make sense for the default action on outputting data
for it
> to be html_escape''d?
>
Hmm, I think that it would just add confusion:

Example: <%= link_to :action => ''something'' %>

That would then output escaped HTML, rather than a link.

Douglas

Kevin Olbrich wrote:
> You know, this has been bothering me a bit lately.  If the point of 
> doing an html escape on the output is to prevent security problems, 
> wouldn''t it make sense for the default action on outputting data
for it
> to be html_escape''d?
No, the point of doing html escape is to convert characters being sent to an
html output
stream into acceptable characters for that format. Characters such as
''>'', ''<'', ''&'',
etc.
are significant in html/xml, so if they are not intended to be used in these
capacities
they need to be escaped.

Actions are not solely in existence to produce output for html pages; they can
be used to
produce output for all sorts of resulting file types (yaml, email, pdf, etc.) or
might
simply need to pass their resulting data on to more code. Whether certain
characters in
that data need to be escaped or not is clearly dependent on the destination
medium.

b