[OT] Wunderbar html - how to output HTML comment with variable content?

[sebb <se...@gmail.com>]

The Wunderbar docs mention outputting text with markup:

_{"<em>hello</em>!!!"}

The following also works:

_{"<!-- fixed comment -->"}

However it does not seem to be possible to output an HTML comment
which contains any variable text, e.g. a date.

Is this possible?

Re: [OT] Wunderbar html - how to output HTML comment with variable content?

[Sam Ruby <ru...@intertwingly.net>]

On Fri, Mar 18, 2016 at 11:07 AM, sebb <se...@gmail.com> wrote:
> On 18 March 2016 at 03:28, Sam Ruby <ru...@intertwingly.net> wrote:
>> On Thu, Mar 17, 2016 at 4:19 PM, sebb <se...@gmail.com> wrote:
>>> The Wunderbar docs mention outputting text with markup:
>>>
>>> _{"<em>hello</em>!!!"}
>>>
>>> The following also works:
>>>
>>> _{"<!-- fixed comment -->"}
>>>
>>> However it does not seem to be possible to output an HTML comment
>>> which contains any variable text, e.g. a date.
>>>
>>> Is this possible?
>>
>> The indirect way (which I don't recommend):
>>
>> _{"<!-- fixed comment with #{date} -->"}
>>
>> What that does internally is run an HTML parser on the string, extract
>> nodes, and do the equivalent of the following, which you can do
>> directly:
>
> That presumably explains the need for nokogiri.
> And perhaps the need to untaint.
>
> But I would expect wunderbar to include nokogiri itself or report an
> error if not available?
> Seems odd that the behaviour silently changes depending on what
> happens to be included somewhere in the app.

The history here is that it used to do the require for you at that
point, but when I turned on $SAFE=1, the require would fail, so the
require needs to happen earlier.

The need to untaint (and presumably validate) the input is documented here:

https://github.com/rubys/wunderbar#secure-by-default

What was not documented is that including nokogiri avoids the need to
validate/untaint the input.  I've tried(*) to clarify that.

>> _.comment! "fixed comment with #{date}"
>
> I see.
>
> Perhaps that could be documented in the README?

That, too, was documented, albeit obtusely.  I've added(*) an example:

https://github.com/rubys/wunderbar#methods-provided-to-wunderbarhtml

- Sam Ruby

(*) https://github.com/rubys/wunderbar/commit/d025cbaa794d2369ef5588b394ee458b579c93a9

Re: [OT] Wunderbar html - how to output HTML comment with variable content?

[sebb <se...@gmail.com>]

On 18 March 2016 at 03:28, Sam Ruby <ru...@intertwingly.net> wrote:
> On Thu, Mar 17, 2016 at 4:19 PM, sebb <se...@gmail.com> wrote:
>> The Wunderbar docs mention outputting text with markup:
>>
>> _{"<em>hello</em>!!!"}
>>
>> The following also works:
>>
>> _{"<!-- fixed comment -->"}
>>
>> However it does not seem to be possible to output an HTML comment
>> which contains any variable text, e.g. a date.
>>
>> Is this possible?
>
> The indirect way (which I don't recommend):
>
> _{"<!-- fixed comment with #{date} -->"}
>
> What that does internally is run an HTML parser on the string, extract
> nodes, and do the equivalent of the following, which you can do
> directly:

That presumably explains the need for nokogiri.
And perhaps the need to untaint.

But I would expect wunderbar to include nokogiri itself or report an
error if not available?
Seems odd that the behaviour silently changes depending on what
happens to be included somewhere in the app.

> _.comment! "fixed comment with #{date}"

I see.

Perhaps that could be documented in the README?

> - Sam Ruby

Re: [OT] Wunderbar html - how to output HTML comment with variable content?

[Sam Ruby <ru...@intertwingly.net>]

On Thu, Mar 17, 2016 at 4:19 PM, sebb <se...@gmail.com> wrote:
> The Wunderbar docs mention outputting text with markup:
>
> _{"<em>hello</em>!!!"}
>
> The following also works:
>
> _{"<!-- fixed comment -->"}
>
> However it does not seem to be possible to output an HTML comment
> which contains any variable text, e.g. a date.
>
> Is this possible?

The indirect way (which I don't recommend):

_{"<!-- fixed comment with #{date} -->"}

What that does internally is run an HTML parser on the string, extract
nodes, and do the equivalent of the following, which you can do
directly:

_.comment! "fixed comment with #{date}"

- Sam Ruby

Re: [OT] Wunderbar html - how to output HTML comment with variable content?

[sebb <se...@gmail.com>]

On 18 March 2016 at 02:22, sebb <se...@gmail.com> wrote:
> On 17 March 2016 at 20:19, sebb <se...@gmail.com> wrote:
>> The Wunderbar docs mention outputting text with markup:
>>
>> _{"<em>hello</em>!!!"}
>>
>> The following also works:
>>
>> _{"<!-- fixed comment -->"}
>>
>> However it does not seem to be possible to output an HTML comment
>> which contains any variable text, e.g. a date.
>>
>> Is this possible?
>
> Turns out the variable I was using needed to be untainted.
> So although it looked and behaved like a normal string, it affected the output.
> Also it seems that the syntax only works at all if whimsy/asf is required
>
> That's odd

Turns out wunderbar needs nokogiri for the _{ } syntax to work correctly.
whimsy/asf requires that in podlings.rb and site.rb

Re: [OT] Wunderbar html - how to output HTML comment with variable content?

[sebb <se...@gmail.com>]

On 17 March 2016 at 20:19, sebb <se...@gmail.com> wrote:
> The Wunderbar docs mention outputting text with markup:
>
> _{"<em>hello</em>!!!"}
>
> The following also works:
>
> _{"<!-- fixed comment -->"}
>
> However it does not seem to be possible to output an HTML comment
> which contains any variable text, e.g. a date.
>
> Is this possible?

Turns out the variable I was using needed to be untainted.
So although it looked and behaved like a normal string, it affected the output.
Also it seems that the syntax only works at all if whimsy/asf is required

That's odd