Here’s a few interesting Ruby links I’ve been keeping open in tabs and minimized browser windows.
- Faker looks like a great addition to a database fuzz script for more realistic data.
- Nanoc is a “baked not fried” CMS (it generates static pages) written in Ruby. It looks very cool. I’m thinking about re-doing my personal web site using it.
- I’m finally trying out make_resourceful. Pretty useful. The problem with plugins like this is that they save you a ton of time if you take the time to learn to use it, but for any individual controller, I could probably write it faster by hand. But I think the investment will pay off. There are a few places where I need more control than make_resourceful’s default assumptions—but it’s really easy to code those actions by hand.
- Shoulda adds some very nice macros for testing a bunch of stuff with models and controllers. I’m not using the contexts and should syntax yet, though.
- Having trouble with the new Rails 1.2.6/2.0 cross site request forgery protection and
ActionController::InvalidAuthenticityTokenerrors? It might be due to restful_authentication. Check out this ticket. The solution is to remove thereset_sessionmethod inUsersController#create. The newest version of the plugin doesn’t have this problem any more. - Django automaticaly escapes HTML. I think this is a decision that every modern web framework should adopt. You hardly ever want user-submitted content to be displayed with HTML intact, and when you do, you need to pay special attention to which elements will be allowed. Some potential solutions for Rails: use Erubis instead of Erb, acts_as_sanitized, the whitelist plugin which has been merged into Rails 2.0 (promising, but last time I used it I found it required quasi-valid HTML, and thus broke under real-world conditions) .
- Blueprint CSS framework is rockin’.
- Friendlier, customizable attachment_fu error messages.
- That checkbox needs a label. Don’t forget to add labels to check box and radio button fields!
So many links from Ara T. Howard that he deserves his own section:
- AM/PM datetime_select replacement
- Sane transactions for Rails
- Setting defaults with ActiveRecord
- Rails – ActiveRecord validations are fatally flawed
What’s all the secret glue behind most of these links? Shhh. Don’t tell anyone I told you.
Nanoc looks amazing. I’ve been waiting for something like this for a long time. A dynamic way to build static sites. Fantastic.
I would love to see auto-escaping added into ERB and Rails. It could be a global flag that is turned on by default in newly generated app config’s, but false if its not been set explicitly in config.
There’s a trend in Rails right now to clean up some of the security problems, and I think this would be accepted as a patch provided that it didn’t break any deployed code.
Dan—I’m not sure if it could be done in a way that doesn’t break deployed code (unless, as you say, it was a configuration option). But I would definitely love to see it done.
My co-worker Eric has just posted an article about using Erubis with Rails 2.0. We are trying it out on our new application. It gets most of what you want with HTML escaping, and is faster than Erb to boot.