On Fri, Mar 18, 2016 at 11:07 AM, sebb <seb...@gmail.com> wrote:
> On 18 March 2016 at 03:28, Sam Ruby <ru...@intertwingly.net> wrote:
>> On Thu, Mar 17, 2016 at 4:19 PM, sebb <seb...@gmail.com> wrote:
>>> The Wunderbar docs mention outputting text with markup:
>>>
>>> _{"<em>hello</em>!!!"}
>>>
>>> The following also works:
>>>
>>> _{"<!-- fixed comment -->"}
>>>
>>> However it does not seem to be possible to output an HTML comment
>>> which contains any variable text, e.g. a date.
>>>
>>> Is this possible?
>>
>> The indirect way (which I don't recommend):
>>
>> _{"<!-- fixed comment with #{date} -->"}
>>
>> What that does internally is run an HTML parser on the string, extract
>> nodes, and do the equivalent of the following, which you can do
>> directly:
>
> That presumably explains the need for nokogiri.
> And perhaps the need to untaint.
>
> But I would expect wunderbar to include nokogiri itself or report an
> error if not available?
> Seems odd that the behaviour silently changes depending on what
> happens to be included somewhere in the app.The history here is that it used to do the require for you at that point, but when I turned on $SAFE=1, the require would fail, so the require needs to happen earlier. The need to untaint (and presumably validate) the input is documented here: https://github.com/rubys/wunderbar#secure-by-default What was not documented is that including nokogiri avoids the need to validate/untaint the input. I've tried(*) to clarify that. >> _.comment! "fixed comment with #{date}" > > I see. > > Perhaps that could be documented in the README? That, too, was documented, albeit obtusely. I've added(*) an example: https://github.com/rubys/wunderbar#methods-provided-to-wunderbarhtml - Sam Ruby (*) https://github.com/rubys/wunderbar/commit/d025cbaa794d2369ef5588b394ee458b579c93a9
