...allowing you to keep your integration tests as DRY as your application code. Option 1: Call other step definitions This is Cucumbers default way of sharing short setup steps or...
...use to create great-looking screen designers when you're not a designer. Part 1 contains: Light comes from the sky Black and white first Double your whitespace
end end end end Output: == AddUserToken: migrating ========================================= # ... == AddUserToken: now generating tokens ============================= -- For users #1 to #500 -> 1.542s -> 1 rows == AddUserToken: migrated (1.0003s...
...by allowlisting specific directories directories %w[app config public spec] allowed_js_reload_window = 10 # seconds last_js_change = Time.at(0) guard 'livereload', apply_css_live: true, host: '127.0.0.1' do...
...css)$)) do |match| # Any generated CSS changed, send its name to livereload-js match[1] end watch(%r(^app/assets/.*\.js$)) do |_match| # Any source Javascript changed. Assume the next changes...
...card contains some advice that has helped me to use icon fonts more comfortably. 1 Map the font's icon names into your application domain You don't want to...
...repeat a 100 times that the icon for a "post" is actually icon-comment-alt, or that cancel buttons should be decorated with icon-remove because the shape fits so...
...remove) certain lines through navigating in the changes and select the current line with 1 Split a chunk with...
...and print the time Reference previously inspected elements (from the Elements panel) Variables $0, $1,...
...$n reference the nth-last inspected Element. $0 is the element that's currently selected...
...XSS]: (javascript:prompt(document.cookie)) [XSS](javascript:window.onerror=alert;throw%20document.cookie) [XSS](javascript://%0d%0aprompt(1)) [XSS](javascript://%0d%0aprompt(1);com) [XSS](javascript:window.onerror=alert;throw%20document.cookie) [XSS](javascript://%0d...
...20document.cookie) [XSS](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K) [XSS](vbscript:alert(document.domain)) [XSS](javascript:this;alert(1)) [XSS](javascript:this;alert(1)) [XSS](javascript:this;alert(1))
...Is Dead, Long Live CSP! Ergebnis: ~ 95% vorhandener CSP-Policies bieten keinen Schutz Grund 1 Meist offensichtliche Fehlkonfiguration (Wildcards, unsichere Domains, object-src fehlt etc) Grund 2 Bibliothek mit JSONP...
...JavaScript reflection gadget", Bibliothek erlaubt einen Weg DOM-Inhalte zu Code zu machen. Beispiel. {{ 1000 - 1 }} Grund 4 User kann Javascript zur Domain hochladen. Wichtig: User darf nie Dateien hochladen...
Given you have a strict CSP that only allows elements from your own domain: Content-Security-Policy: script-src 'self' This will block JavaScript handlers inlined as attribute into your HTML elements. Clicking on the following link will only log an error with a strict CSP: click me click me Solution 1: Move the handler into your JavaScript The recommended solution is to move the handler from the HTML to the allowed JavaScript file that we loaded via . In the example above we could invent a new [data-alert] attribute with the alert message: click me Then our JavaScript intercepts clicks on elements with that attribute: document.addEventListener('click', function(event) { let link = event.target.closest('[data-alert]') if (link) { let message = link.dataset.alert alert(message) event.preventDefault() } }) Solution 2: Allow that one handler in your CSP Some browsers allow the CSP directive script-src-attr. This lets you allow the hashes of actual JavaScript code. The SHA256 hash of alert('hello') is vIsp2avtxDy0157AryO+jEJVpLdmka7PI7o7C4q5ABE= (in Base64). We can allow this one event handlers like this: Content-Security-Policy: script-src 'self'; script-src-attr 'unsafe-hashes' 'sha256-vIsp2avtxDy0157AryO+jEJVpLdmka7PI7o7C4q5ABE=' Note the sha256- prefix. This event handler now works when clicked: click me But any other script will still be blocked: click me Dealing with legacy browsers Currently (November 2023) about 75% of browsers support script-src-attr. Here is a forward-looking compromise that many users use with new CSP features: Have a liberal CSP with old directives supported by all browsers Make your CSP stricter with new, more specific directives for browsers that support it The CSP spec supports that approach in that using newer, more specific directives disable older, more general features. In our case this means: For old browsers, allow all inline scripts For new browsers, disallow inline scripts but allow inline handlers with given hashes Here is a CSP directive that works like this: Content-Security-Policy: script-src 'self' 'unsafe-inline'; script-src-elem 'self'; script-src-attr 'unsafe-hashes' 'sha256-vIsp2avtxDy0157AryO+jEJVpLdmka7PI7o7C4q5ABE=' Old browsers will only use script-src. New browsers will use script-src-elem (for tags) and script-src-attr (for inline event handlers), which override the more liberal rules from script-src.
...simply issuing an extra query, like this: SELECT post.* FROM posts LIMIT 20 OFFSET 100; SELECT COUNT(*) FROM posts; This is fine most of the time. But rarely, you might...
...it needs to be. SELECT posts.* FROM (/* some complicated_subquery */) posts LIMIT 20 OFFSET 100; SELECT COUNT(*) FROM (/* some complicated subquery */) posts; Here the subquery had to run twice. (Although...
...An OAuth-compatible request matcher Body with ignored order URI ignoring query parameter ordering 1 URI ignoring query parameter ordering 2 Tests with AJAX Using javascript in integration tests might...
Profit Example Imagine you expect General Kenobi to be in level 6 { level_1: { level_2: { level_3: { level_4: { level_5: { level_6: { general_kenobi: 'Hello there!' } } } } } } }
...actually in level 3. Then RSpec will output the diff this way: expected: {:level_1=>{:level_2=>{:level_3=>{:level_4=>{:level_5=>{:level_6=>{:general_kenobi=>"Hello there!"}}}}}}}
...use permit (or expect) to receive Strong Parameters, but strip extra parameters. # Better (option 1) redirect_to users_path(params.slice(:query, :encoding).permit(:query, :encoding)) # Better (option 2)
...upgrade to take a few days even the diff is quite small afterwards. Preparations 1. Find all libraries that are bundled with the asset pipeline. You can check the application.js...
...have to be copied to a private node package into the project. Introduce Webpacker 1. Install Webpacker 2. Check if css extraction is enabled in webpacker.yml: # Extract and emit a...
...logs the error ActionController::UnpermittedParameters in development + test and do nothing in production. Option 1: In case you use action_on_unpermitted_parameters = :raise for all environments, you might notice...
Using Ruby 1.8.7 you will not be able to use the maximum versions Rubygems 1.8.30 and Bundler 1.17.3 with https://rubygems.org/ anymore. This is a result of a server certificate...
...fetching data: hostname was not match with the server certificate (https://rubygems.org/*) Fix 1: Use docker and gemstash (recommended for makandra employees) Use our legacy docker setup for development...
...convert it into its RGB values using plain Ruby. >> "#ff8000".match(/^#(..)(..)(..)$/).captures.map(&:hex) => [255, 128, 0] You can use that to implement a simple "hex to CSS rgba value with...
...captures.map(&:hex) "rgba(#{rgb.join(", ")}, #{opacity})" end >> hex_color_to_rgba("#ff8000", 0.5) => "rgba(255, 128, 0, 0.5)" If you need to support RGBA hex color codes, you need to handle...
(gdb) t a a bt # thread apply all backtrace (gdb) call (void) close(1) # close the existing file descriptors for stdout (gdb) call (void) close(2) # close the existing...
Previous method on Ruby < 2.4 Article from 2016 Article from 2006 Ruby 1.8.7 # First, find out the PID of your Ruby process (e.g. passenger-status)
manufacturer, serial_number = product.match(PRODUCT_PATTERN)&.captures # or manufacturer = product[PRODUCT_PATTERN, 1] serial_number = product[PRODUCT_PATTERN, 2] Example with named groups (<2.4) PRODUCT_PATTERN = /\A(? .+) S...
...complement for opacity. Just transition both of them: opacity: 0 visibility: hidden transition: all 100ms &.-visible opacity: 1 visibility: visible When fading in, visibility will immediately be set to visible...
...call other matchers. Example The following test checks that two variables foo and bar (1) have no lowercase characters and (2) end with an exclamation mark: expect(foo).to_not...
...but is actually quite simple when using docker and turning off some verification steps. 1. Start a keycloak instance using docker mkdir -p keycloak_data && docker run --network=host -e...
...increase your build times significantly, but produce the smallest output: Terser (3 pass) Terser (1 pass) esbuild application.js 163.6 kB 163.7 kB 181.6 kB application.js (gzipped) 54.7 kB