If you render markdown from user input, an attacker might be able to use this to inject javascript code into the source code of your page.
The linked github page is a collection of common markdown XSS payloads which is handy for writing tests.
[Basic](javascript:alert('Basic'))
[Local Storage](javascript:alert(JSON.stringify(localStorage)))
[CaseInsensitive](JaVaScRiPt:alert('CaseInsensitive'))
[URL](javascript://www.google.com%0Aalert('URL'))
[In Quotes]('javascript:alert("InQuotes")')
When an event listener on a DOM element throws an error, that error will be silenced and not interrupt your program.
In particular, other event listeners will still be called even after a previous listener threw an error. Also the function that emitted the event (like element.dispatchEvent() or up.emit()) will not throw either.
In the following example two handlers are listening to the foo event. The first handler crashes, th...
Test-Driven Development (TDD) in its most dogmatic form (red-green-refactor in micro-iterations) can be tedious. It does not have to be this way! This guide shows a pragmatic approach with integration and unit tests, that works in practice and improves on productivity.
TDD with integration and unit tests is a process with three abstraction levels:
During development you are frequently changing levels. It may look something like this:
Integration _ _...
If you need to test some HTML, e.g. an embed code, you can use RubyMine's "scratch files":
Ctrl + Shift + Alt + Ins)Debugging image color profiles is hard. You can't trust your eyes in this matter, as the image rendering depends on multiple factors. At least the operation system, browser or image viewer software and monitor influence the resulting image colors on your screen.
When we offer our users the possibility to upload images, they will most likely contain tons of EXIF metadata and sometimes exotic color profiles like eciRGB. We want to get rid of the metadata, as it might contain sensitiv...
ActiveSupport (since 4.1) includes test helpers to manipulate time, just like the Timecop gem:
To travel a relative amount of time, use travel:
travel 1.day
To travel to a specific moment in time, use travel_to:
travel_to 1.hour.from_now
To freeze the current time, use freeze_time (ActiveSupport 5.2+):
freeze_time
All those methods may also receive a block to call and restore time afterwards. If you don't provide a block, you must call travel_back or `unfreeze...
In Ruby on Rails, all objects have a useful blank? method. It returns true for nil but also for empty strings or empty arrays. There is also a universal method present? which returns true for all values that are not blank?.
In JavaScript you need to roll your own implementation of blank? and present?.
If your application uses [Unpoly](...
Not all versions of Node.js are compatible with each other. Also npm packages may require a minimum or maximum version of Node.js. We use nvm on our development PCs so we can operate multiple versions of Node.js in parallel.
To make sure that all developers use a compatible version of Node.js, your Rails project should declare the required Node.js in a file called .nvmrc.
When a .nvmrc exists, developers can cd in your project directory and activate...
Download buttons can be difficult to test, especially with Selenium. Depending on browser, user settings and response headers, one of three things can happen:
TL;DR Most web applications do not require action on this. SameSite=None (old browser default) will continue to work, and SameSite=Lax (new Chrome default, gradually rolled out) is an even better default for cookies. Set SameSite=Strict only for extra security in special cases (see below). If your application is rendered in an iframe (e.g. a video player or some news stream), you need to configure its relevant cookies as SameSite=None.
The SameSite cookie attribute targets **c...
Elastic antwortet per Default auf Port 9200
http GET :9200
{
"name": "ntK2ZrY",
"cluster_name": "elasticsearch",
"cluster_uuid": "Bbc-ix5bQZij5vfFU29-Cw",
"version": {
"number": "6.7.1",
"build_flavor": "...
RSpec >= 3.3 added aggregate_failures, which allows multiple failures in an example and list them all, rather than aborting on the first failure.
This can be used:
:aggregate_failures (our preferred option in case every expectations should be aggregated)aggregate_failures
[Here](https://relishapp.com/rspec/rspec-core/docs/expectation-framework-integration/aggregating-failures#use-%60aggrega...
From: Sven
To: unpoly@googlegroups.com
Subject: performance on smartphones and tablets
Hello
I just used your framework in one project and must say,
I am really pleased with it -- but only on a desktop computer.
Have you benchm...
For Sidekiq to be able to retry your jobs it has to be able to catch errors that occur while a job is executed.
Per default, Sidekiq will not raise / notify you if the retry count is exhausted. It will only copy the job to the dead queue (see wiki).
If you want to get notified, you have to implement it in your worker explicitly with a sidekiq_retries_exhausted-block, e.g. like this:
class DownloadWorker
include Sidekiq::Worker
# Import jobs are retried a few time...
Migrating data from a legacy into a new system can be a surprisingly large undertaking. We have done this a few times. While there are significant differences from project to project, we do have a list of general suggestions.
Before you start, talk to someone who has done it before, and read the following hints:
Before any technical considerations, you need to understand the old system as best as possible. If feasible, do not only look at its API, or database, or frontend, but let a user of the old system sho...
At makandra, we've built a few gems over the years. Some of these are quite popular: spreewald (> 1M downloads), active_type (> 1M downloads), and geordi (> 200k downloads)
Developing a Ruby gem is different from developing Rails applications, with the biggest difference: there is no Rails. This means:
require all files yourselfactive_support nicetiesAlso, their scope...
CarrierWave comes with some RSpec matchers which will make testing more comfortable. Let's say you have an Uploader like this:
class MyUploader < CarrierWave::Uploader::Base
include CarrierWave::MiniMagick
# Create different versions of your uploaded files:
version :small do
process resize_to_fill: [100, 100]
end
version :medium do
process resize_to_fit: [200, nil]
end
version :large do
process resize_to_limit: [400, 400]
end
end
Imagine you have a class Movie with an attribute poster. In ...
This cucumber step is useful for testing an image (looking at the src of the image).
Then(/^I should see the image "([^"]*)"$/) do |filename_with_extension|
expect(page).to have_css("img[src*='#{filename_with_extension}']")
end
Then I should see the image "placeholder.png"
Outline: Read more about how to test a uploaded file here, e.g. file downloads.
By default, browsers will not wrap text at syllable boundaries. Text is wrapped at word boundaries only.
This card explains some options to make browsers wrap inside a long word like "Donaudampfschifffahrt".
Modern browsers are able to hyphenate natively with the CSS property hyphens:
hyphens: auto
There is also hyphens: none (disable hyphenations even at ­ entities) and hyphens: manual (hyphenation at ­ only).
This feature was integrated [just ...
HTTPie consists of a single http command designed for painless debugging and interaction with HTTP servers, RESTful APIs, and web services
It easy to use and has very nice defaults and coloured output which makes it good for local testing.
Usage examples with curl equivalent:
# curl post
curl --data "foo=23&bar=42" https://example.org/blub
# httpie post
http https://example.org/blub foo=23 bar=42
# curl localhost
curl localhost:3000/users
# httpie localhost
http :3000/users
Checking if a JavaScript value is of a given type can be very confusing:
typeof and instanceof which work very differently."foo") and sometimes an object (new String("foo")) and each form requires different checksnull (null, undefined and NaN) and each has different rules for...If you deliver files from a public folder it might be that the Content-Disposition header is not set. That's why the following spreewald step might raise an error:
Then I should get a download with filename "..."
expected: /filename="some.pdf"$/
got: nil (using =~) (RSpec::Expectations::ExpectationNotMetError)
One solution...
An end-to-end test (E2E test) is a script that remote-controls a web browser with tools like Selenium WebDriver. This card shows basic techniques for fixing a flaky E2E test suite that sometimes passes and sometimes fails.
Although many examples in this card use Ruby, Cucumber and Selenium, the techniques are applicable to all languages and testing tools.
Your tests probably look like this:
When I click on A
And I click on B
And I click on C
Then I should see effects of C
A test like this works fine...
Slides for Henning's talk on Sep 21st 2017.
print('script start')
html = get('/foo')
print(html)
print('script end')
Script outputs 'script start', (long delay), '<html>...</html>', 'script end'.
print('script start')
get('foo', done: function(html) {
print(html)
})
print('script end')
Script outputs 'script start', `'...