The Dev Blog comments

"IE is braindead! (Wild card certs and https redirects)" by Craig Francis

Tue, 03 Apr 2007 05:43:29 -0400

I second the FireFox vote... actually, I would say any alternative browser, as Opera, Safari, iCab etc all work really well.

And as a side note, for those using PHP, I normally have this little 'goto' function available on my websites...

function goto($goto) {

if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') {
    if (preg_match('/http:\/\//', $goto)) {
        header('Refresh: 0; URL=' . $goto);
        exit('<a href="' . htmlentities($goto) . '">Loading...</a>');
    }
}

header('Location: ' . $goto);
exit('<p>Goto <a href="' . htmlentities($goto) . '">next page</a></p>');

}

Sorry if the indenting does not work, but I bet you can guess what the main body of this function is for (yes, the retarded browser).

"IE is braindead! (Wild card certs and https redirects)" by Guy Naor

Mon, 02 Apr 2007 16:48:40 -0400

I'm happy we are getting more and more Firefox users! The share of Firefox has benn constantly growing for us. And not only here in the blog which is developers oriented. Even the main Famundo website and the application itself.

"IE is braindead! (Wild card certs and https redirects)" by pcx99

Mon, 02 Apr 2007 16:44:05 -0400

Good thing your pages don't use javascript's prompt command or you'd have another thing to add to your list ;)

"Lost In Binding - Adventures In Ruby Metaprogramming" by Guy Naor

Sun, 01 Apr 2007 14:32:20 -0400

Piers, unfortunately the code you posted still doesn't work. The reason it doesn't is that we still have an internal block in the call to form_tag that goes into the concatenator.

But I did find a way of using capture which simplifies the code (though still makes it look a bit hackish...):

def secure_form_tag(*form_tag_params, &block)
  if block_given?
    @res = <<-EOF
      #{form_tag(*form_tag_params)}
      #{capture(&block)}
      #{hidden_field_tag('session_id_validation', security_token)}
      </form>
    EOF
    eval '_erbout.concat @res', block
  else
    "#{form_tag(*form_tag_params)} #{hidden_field_tag('session_id_validation', security_token)}"
  end
end

BTW, notice the need to use @res to make it work, or the var is hidden from the block bindings.

Thanks again for the capture trick, didn't see it before :-)

"Lost In Binding - Adventures In Ruby Metaprogramming" by Guy Naor

Sun, 01 Apr 2007 10:19:13 -0400

Piers,

This is nice, though like you said, not much different with regard to all the copying of the strings, which I suspect can't be prevented.

Thanks for the idea!

"Lost In Binding - Adventures In Ruby Metaprogramming" by Piers Cawley

Sat, 31 Mar 2007 16:41:09 -0400

Dang, forgot to replace both calls to hidden_field_tag in that rewritten secure_form_tag. L'esprit d'escalier strikes again.

"Lost In Binding - Adventures In Ruby Metaprogramming" by Piers Cawley

Sat, 31 Mar 2007 16:39:05 -0400

Ah yes, of course.

Further inspection of the docs suggests that:

def security_token_field
  hidden_field_tag "session_id_validation"), security_token
end

def concatenator(binding)
  lambda {|str| concat(str, binding)}
end

def secure_form_tag(*form_tag_params, &block)
  if block_given?
    form_body = capture &block;
    concatenator(block).call \
      form_tag(*form_tag_params) { security_token_field + form_body }
  else
    "#{form_tag(*form_tag_params)}
#{hidden_field_tag('session_id_validation', security_token)}"
  end
end

Should do the trick. All that ugliness with string_eval still happens, but it's hidden behind the abstraction wall.

I may have got a little bit Higher Order Function happy on concatenate's ass.

"Lost In Binding - Adventures In Ruby Metaprogramming" by Guy Naor

Fri, 30 Mar 2007 09:02:42 -0400

Piers,

Unfortunately this can't work. I wish it was that simple :-).

The reason it doesn't, is that when using

form_tag(...) do end

the form and /form tags wrap the form elements around the block. And so our added hidden field will be outside the form. We need a way to inject the hidden field into the block.

"Lost In Binding - Adventures In Ruby Metaprogramming" by Piers Cawley

Fri, 30 Mar 2007 03:15:00 -0400

I've not tried it, but what's wrong with:

form_tag(url_for_options, *parameters_for_url, &block)

If you don't create a new block, you don't have to create a new binding.

"Lost In Binding - Adventures In Ruby Metaprogramming" by K. Adam Christensen

Thu, 29 Mar 2007 16:58:00 -0400

What if you just did a concat on the hidden tag and the block's binding and then pass that block into the form_for method.

http://pastie.caboo.se/50396

Not tested, but an idea.