Notes: Josh McArthur

Avoiding script injection when rendering ERB

Bad (but not obviously so): data = { greeting: "Hello, world!" } ERB.new(" <h1>Show greeting:</h1> <p><%= greeting %></p> ").result_with_hash(data) # => <h1>Show greeting:</h1> <p>Hello, world!</p> The question is - what happens if greeting is something different…like <script>alert('greeting!')</script>? Perhaps, if you’re used to Rails, not what you might expect: data = { greeting: "<script>alert('greeting!')</script>" } ERB.new(" <h1>Show greeting:</h1> <p><%= greeting %></p>...

Streamlining daily blog posts

For quite a while, I managed to find something interesting to write up each work day. Unfortunately, life got in the way, and as is easy to do, this habit stopped. I’m hoping to get back into writing, and I’m trying to do this by making it easier to write up a post without leaving my flow as much. To...

Adding elevation to DOC track dataset

I don’t know if this is interesting to anyone, but on Friday and for an extra hour or two in the weekend, I was playing around with calculating an elevation profile for walking tracks in NZ. I started with a dataset from data.govt.nz from the Department of Conservation (which for AU is responsible for walking tracks and facilities at a...

Rails supports transforming aria hashes into dasherized attributes

TIL that aria- attributes get the same treatment in Rails tag helpers as data-. That is, you can do: link_to "X", y_path, aria: { pressed: true } -> aria-pressed="true" OR link_to "X", y_path, "aria-pressed" => true -> aria-pressed="true" I can’t find any multi-dash aria properties on MDN, but I imagine Rails will follow the same formatting rules of turning underscores...

Create a trix editor with a hidden toolbar

Trix is fairly new to me, but now that it’s closely integrated with Rails, it’s become by go-to for rich text editing. I’ve been working on a project where I wanted a text field with some basic rich text capabilities, but I wanted the input to look like a normal textarea. This would allow standard text entry, but allow users...

Asserting a partial was rendered in an RSpec view spec

View specs are great. While I always keep in mind they are a unit test and do not test the full integration of a feature, I find that they are fantastic for asserting around all the edge cases of a feature - things like the expected validation messages showing up, or buttons appearing or disappearing based on different scenarios. I...

CLI tool entr for running a command when a file changes

entr is a tool I’ve been using a bunch recently - mostly for watching source files, and running tests when I change the source file. entr can be piped one or more files, which means it’s really easy to use - just use ls, find, or any other tool that outputs filenames, and then pipe it to entr: ls app/models/widget.rb...

Assert window.location properties with Jest and jsdom

I have a React component that is part of a wider Ruby on Rails application. It fetches a record, and if the record does not exist, it redirects to the server-rendered 404 page. Unfortunately, while the user will see the ‘not found’ page, the HTTP status code will be 200 OK by default, because this page is static. Best practise...

Mid King Biv Trip Report

This trip report is really more a cautionary tale of overconfidence and inexperience leading to a challenging Tararua overnight trip to Mid King Biv. Started: 11am from Holdsworth Carpark Finished: 6:30pm the next day at Holdsworth Carpark Travel Times: Day 1: 2 hours to Atiwhakatu Hut (break) 1 hour from Atiwhakatu Hut to the swingbridge over Atiwhakatu Stream 20 minutes...

Quickly access Ruby Mail object parts

Often, mailer specs will start with a simple assertion like expect(mail.body).to include "Some text in the expected email here". This works for a while, but quickly breaks down when an email grows more complex, such as having special characters causing it to be encoded as 7bit or QuotedPrintable, having attachments, or supporting different formats (like plaintext & HTML). I’ve always...

All Posts