<%# lib/views/users.erb %>
<% @users.each do |user| %>
<td><%= user.id %></td>
<td><%= user.name %></td>
<% end %>
any user-defined input will show the unescaped value. This setup is immediately vulnerable to persistent XSS attacks. For instance, a User with a name like <script src=http://www.example.com/malicious-code.js></script> will appear as:
So I find this little bastard in Rails~> 4.0.0 wicked annoying.
Except, I get it. It’s not up to Rails to decide if you want run your migrations or not.
Sometimes you are working on tests, and you have a pending migration but you don’t want it to run yet. What I do dislike is checking out some updates, running tests and then immediately failing. DataMapper is especially anal about this because of the relationship integrity checks.
My solution is to sprinkle this little snippet around:
The real clutch piece here is that having a migration checked into git effectively means it’s ready for party time.
The gating of the development and test environment is important because you probably don’t want your database migrations to run as a side effect of booting your app in production.
I usually stuff this in config/application.rb but you could just as easily but it in a config/initializer/auto_migrate.rb file.
I have a tendency to keep my right pinky down on the shift key when typing : to enter vim command mode. This causes my command to start with a capital letter, which is rarely useful. Besides focusing more on lifting it up more quickly I have configured vim to figure out what my intentions really are.
My most commonly misspelled commands are:
:Wa which is intended to be :wa - write all files
:W which is intended to be :w - write current buffer
:E which is intended to be :e - open a file
I’ve remapped the previous errored commands to be their intended targets by adding