Forum: Ruby on Rails ERROR: undefined method `h' for ERB::Util:Module

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
2689ef6ed6006970c3d153075df3df18?d=identicon&s=25 Jigar Gosar (Guest)
on 2006-01-22 07:48
ERROR: undefined method `h' for ERB::Util:Module

i get above error when i use

  ERB::Util.h(content)

in my controller's action.

can any one one tell me how to use this 'h' method within controller?

thanks,
Jigar Gosar
http://jigar.org
C8a634a01a2c4508360874bff7fb1a7f?d=identicon&s=25 Kevin Olbrich (olbrich)
on 2006-01-22 07:54
Jigar Gosar wrote:
> ERROR: undefined method `h' for ERB::Util:Module
>
> i get above error when i use
>
>   ERB::Util.h(content)
>
> in my controller's action.
>
> can any one one tell me how to use this 'h' method within controller?
>
> thanks,
> Jigar Gosar
> http://jigar.org

<%= h content %>

_Kevin
2689ef6ed6006970c3d153075df3df18?d=identicon&s=25 Jigar Gosar (Guest)
on 2006-01-22 08:24
Kevin Olbrich wrote:
> Jigar Gosar wrote:
>> ERROR: undefined method `h' for ERB::Util:Module
>>
>> i get above error when i use
>>
>>   ERB::Util.h(content)
>>
>> in my controller's action.
>>
>> can any one one tell me how to use this 'h' method within controller?
>>
>> thanks,
>> Jigar Gosar
>> http://jigar.org
>
> <%= h content %>

this i m aware of this,
i want to use it in controller's action not view.

>
> _Kevin
71f1b6b2c3fd9af2e8c52618fb91caa6?d=identicon&s=25 Jules Jacobs (jules)
on 2006-01-22 12:31
Why would you want to use that in your controller? I assume that the
h()'ed content gets outputted via a view. You could call h() at that
point, couldn't you?

Jules
Eeba234182bcbd7faed9ff52e233394d?d=identicon&s=25 Douglas Livingstone (Guest)
on 2006-01-22 14:07
(Received via mailing list)
2006/1/22, Jigar Gosar <jigar.gosar@gmail.com>:
>
> can any one one tell me how to use this 'h' method within controller?
>

The long answer is that you're probably doing something wrong if you
want to escape output in the controller. The controller shouldn't
handle rendering views itself, and part of rendering the views is
escaping output. So, as Kevin and Jules have said, you should just
pass the unescaped content to the view, and then you can safely escape
*everything* in the view, without worrying about escaping things
twice.

If you are creating HTML in the controller, that shouldn't be there
either. If you move that into a view helper, you'll have no problem
accessing html_escape.

But having said that, here is the answer to your question, I just hope
you won't use it:

Using ERB::Util as a mixin:

  class FishyController < ActionController::Base

    include ERB::Util  # this should look strange to you

    def something_that_should_be_in_the_view

      # you should be surprised to see
      # anything about HTML in a controller

      @html = "<li>#{html_escape("a is > b")}</li>"

    end

  end

Regards,
Douglas
C8a634a01a2c4508360874bff7fb1a7f?d=identicon&s=25 Kevin Olbrich (olbrich)
on 2006-01-22 16:05
Douglas Livingstone wrote:
> 2006/1/22, Jigar Gosar <jigar.gosar@gmail.com>:
>>
>> can any one one tell me how to use this 'h' method within controller?
>>
>
> The long answer is that you're probably doing something wrong if you
> want to escape output in the controller. The controller shouldn't
> handle rendering views itself, and part of rendering the views is
> escaping output. So, as Kevin and Jules have said, you should just
> pass the unescaped content to the view, and then you can safely escape
> *everything* in the view, without worrying about escaping things
> twice.

You know, this has been bothering me a bit lately.  If the point of
doing an html escape on the output is to prevent security problems,
wouldn't it make sense for the default action on outputting data for it
to be html_escape'd?

Then one could use a different function to return the unescaped string
instead.

Sure it will cause all sorts of problems in some ways, but the overall
result would be that it would force the developer to explicitly return
unsafe content, so there would be litte to no chance of it leaking out
by accident.

I suppose that a third way would be for ERb to require either the 'h' or
'u' function for it to generate text output.  If you don't specify which
one you want, nothing would happen.

_Kevin
71f1b6b2c3fd9af2e8c52618fb91caa6?d=identicon&s=25 Jules Jacobs (jules)
on 2006-01-22 17:30
I don't think that would be a good idea. You cannot use capture() then.

...
<% @footer = capture do %>
<%= link_to 'Edit', :action => 'edit', :id => @post %>
<% end %>

And in your layout:

<html>
...
<div id="footer">
<%= @footer %>
</div>
...
</html>

Or is there a better way to do this?

Thanks in advance,

Jules
C8a634a01a2c4508360874bff7fb1a7f?d=identicon&s=25 Kevin Olbrich (olbrich)
on 2006-01-22 17:58
Jules Jacobs wrote:
> I don't think that would be a good idea. You cannot use capture() then.
>
> ...
> <% @footer = capture do %>
> <%= link_to 'Edit', :action => 'edit', :id => @post %>
> <% end %>
>
> And in your layout:
>
> <html>
> ...
> <div id="footer">
> <%= @footer %>
> </div>
> ...
> </html>
>
> Or is there a better way to do this?
>
> Thanks in advance,
>
> Jules

Not really a problem.  As I see it, you would want to have an ERb
function to allow unescaped text.

So your view would look like this..

<div id="footer">
<%= unsafe(@footer) %>
</div>

of

....

This way you also get the side benefit that when you read the code, you
instantly know if there is a potential security issue so you will pay
more attention to where @footer came from.

I will admit that I don't understand ERb well enough to know what else
this approach would break.

it might also be possible to set up erb to use a format like this..

<%unsafe <html> %>

And just have the standard <%= %> force an html escape by default.

_Kevin
Eeba234182bcbd7faed9ff52e233394d?d=identicon&s=25 Douglas Livingstone (Guest)
on 2006-01-22 19:48
(Received via mailing list)
2006/1/22, Kevin Olbrich <kevin.olbrich@duke.edu>:
>
> You know, this has been bothering me a bit lately.  If the point of
> doing an html escape on the output is to prevent security problems,
> wouldn't it make sense for the default action on outputting data for it
> to be html_escape'd?
>

Hmm, I think that it would just add confusion:

Example: <%= link_to :action => 'something' %>

That would then output escaped HTML, rather than a link.

Douglas
4005a47a8f2ceee49670b920593c1d52?d=identicon&s=25 Ben Munat (Guest)
on 2006-01-22 20:10
(Received via mailing list)
Kevin Olbrich wrote:
> You know, this has been bothering me a bit lately.  If the point of
> doing an html escape on the output is to prevent security problems,
> wouldn't it make sense for the default action on outputting data for it
> to be html_escape'd?

No, the point of doing html escape is to convert characters being sent
to an html output
stream into acceptable characters for that format. Characters such as
'>', '<', '&', etc.
are significant in html/xml, so if they are not intended to be used in
these capacities
they need to be escaped.

Actions are not solely in existence to produce output for html pages;
they can be used to
produce output for all sorts of resulting file types (yaml, email, pdf,
etc.) or might
simply need to pass their resulting data on to more code. Whether
certain characters in
that data need to be escaped or not is clearly dependent on the
destination medium.

b
This topic is locked and can not be replied to.