...classes Page and Template. Both contain the same behavior: They have a string field #html which needs to be sanitized (stripped of malicious HTML) before validation: # app/models/page.rb class Page < ApplicationRecord...

...before_validation :sanitize_html private def sanitize_html self.html = Sanitize.clean(html) end end # app/models/template.rb class Template < ApplicationRecord before_validation :sanitize_html private def sanitize_html self.html = Sanitize.clean(html) end

...might upload content that hurts other users. Our primary concern here is users uploading .html or .svg files that can run JavaScript and possibly hijack another user's session.

...executing files that were downloaded from the internet. Attack example: Hijacking sessions with uploaded HTML or SVG files You run an app myapp.com. The attacker runs an app evil.com.

...more intuitive workflow when working with nested attributes in Rails + Unpoly: Without JS With HTML template and JS With HTML template and JS using dynamic Unpoly templates Adding Records via...

= task_form.check_box :_destroy = task_form.label :_destroy, "Remove task" = form.submit Adding nested records via template HTML with JS resources :variant_2_users, only: [:edit, :update] class Variant2UsersController < ApplicationController def edit

...an arbitrary route in your Rails application that is able to respond with regular HTML and JSON. By sending the specific MIME type in the Accept header, you tell the...

...application to either return HTML (text/html) or JSON (text/json). The problem is that Rails caches the response independently from the specified Accept header. This means that the first request made...

Capybara-screenshot can automatically save screenshots and the HTML for failed Capybara tests in Cucumber, RSpec or Minitest. Requires Capybara-Webkit, Selenium or poltergeist for making screenshots. Screenshots are saved...

...also use Rails' built-in ScreenshotHelper module available for Rails >= 5. Including assets in HTML screenshots for prettier presentation Note Capybara takes two kinds of screenshots: a regular image and...

...template for a format that the client understand. This means when all you are HTML templates, a request that only accepts application/json will raise an error: An ActionView::MissingTemplate occurred...

You can choose not to care. Since e.g. making JSON requests for HTML services is not supported use of your page, you don't have to support them...

...act like a layout. You can use this to extract common containers in your HTML. # _card.html.erb <%= yield %> # index.html.erb <%= render partial: 'card' do %> This is card content <% end %> <%= render partial: 'weather...

...Partials vs. Helpers I recommend to avoid using helpers when rendering large chunks of html and go for a partial instead. If your helper method requires a large chunk of...

...page to visitors. Disables your application's web interface by writing a #{maintenance_basename}.html file to each web server. The servers must be configured to detect the presence of...

cap maintenance:disable Makes the application web-accessible again. Removes the #{maintenance_basename}.html page generated by maintenance:disable, which will make your application web-accessible again.

...re-render the view for unchanged content, you don't need to send unchanged HTML over the network. Tip With the default ETag you don't need to care what...

...most Rails application layouts insert randomly rotating CSRF tokens and CSP nonces into the HTML, two requests for the same data state will never produce the same response bytes: ... ... ...

...sync vs. async control flow Talking to synchronous (or "blocking") API print('script start') html = get('/foo') print(html) print('script end') Script outputs 'script start', (long delay), '...

...', 'script end...

...Talking to asynchronous (or "evented") API print('script start') get('foo', done: function(html) { print(html) }) print('script end') Script outputs 'script start', 'script end', (long delay), '...

Properties of sync...

...element. So don't do this: text The browser will think you wrote invalid HTML by accident, and will sometimes reorder elements silently. There is one notable exception: It's...

...OK to wrap block elements in a tag in HTML5 (not 4). The spec says: The a element may be wrapped around entire paragraphs, lists, tables, and so forth, even...

For outputting a given String in HTML, you mostly want to replace line breaks with or tags. You can use simple_format, but it has side effects like keeping some...

If you only care about line breaks, you might be better off using a small, specialized helper method: def format_linebreaks(text) safe_text = h(text) paragraphs = split_paragraphs...

Unpoly 3.11.0 is a big release, shipping many features and quality-of-life improvements requested by the community. Highlights include...

There are two distinct ways of commenting Haml markup: HTML and Ruby. HTML comments This will create an HTML comment that will be sent to the client (aka browser):

...to 'Example', 'www.example.com' This produces the following HTML: Only use this variant if you need the comment to appear in the HTML. Ruby comments This will comment code so it...

...we want to hide via CSS and fill using JS = form.file_field_tag(:invoice, html: { class: 'visually-hidden' }) # You may also use CSS classes, of course %span(file-input-name...

...between smooth and instant scrolling. Preferring instant scrolling CSS can prefer instant scrolling behavior: html { scroll-behavior: auto; /* the default */ } An auto behavior causes the browser to instantly jump to...

...smooth scrolling CSS can prefer a smooth scrolling animation: @media not (prefers-reduced-motion) { html { scroll-behavior: smooth; } } An smooth behavior causes the browser to animate scrolling in these situations...

...scrolling by default. You can address this by disabling smooth scrolling in tests: body, html { scroll-behavior: auto !important; } If you have other scrolling elements with overflow-y: scroll or...

...as it is given. Behavior of "boolean attributes" remains unchanged No Haml value => no HTML value Boolean Haml value => attribute is rendered depending on that value All other values => rendered...

Haml HTML generated by Haml 5 & 6 %button(disabled) %button(disabled=true) %button(disabled=false) %button(disabled=nil) %button(disabled='123') Other attributes will be handled differently by Haml...

The DB schema is the most important source of truth for your application and should be very self-explanatory. If...

...nodes based on rendered text, even if it spans over multiple elements in the HTML. Imagine a page that includes this HTML: Hi! Try to match me. Even though the...

...text is separated by a tag in the HTML, it is matched until Capybara 2 which used to "squish" text prior to the comparison. # Capyabara 1 or 2 page.find('.haystack...

...set icon font classes directly. Instead I use another helper (icon) that wraps a HTML snippet with the icon class and some additional markup: <%= icon(:email, 'Send message') %>

...produce the following HTML: Send message You can also use the helper to write an icon without a label: <%= icon(:email) %> Advantages of using the helper are:

...does not block the browser from rendering content. Deferred scripts will run after the HTML was parsed. That means you can query the entire DOM tree with querySelector() and friends...

...have multiple deferred scripts, they will run in the order they appear in the HTML, regardless of how long individual scripts take to load. You can put your...

end + content_tag(:div, :class => 'clear') ) end # Rails 2 def center_float(&block) html = "".html_safe html << content_tag(:div, :class => 'center_float_outer_container') do content_tag(:div...

...class => 'center_float_container') do content_tag(:div, h(capture(&block)), :class => 'center_float').html_safe end end html << content_tag(:div, :class => 'clear') html end Use it with

...on JavaScript-heavy applications. An example would be an AngularJS application where the following HTML actually works. [1] Hello Capybara will fail to find that link, even though looking it...

...are usually styled correctly, and Angular will take care of the click event), the HTML spec defines hyperlinks as anchor tags ( ) that have an href attribute. Without an href they...