1

I'm making resourceful routes for youtube videos. So, a person just pastes the youtube embed link in the form. In the controller I have a normal set of resourceful actions:

class VideosController < ApplicationController
  def index
    @videos = Video.all
  end

  def new
    @video = Video.new
  end

  def create
    Video.create(params[:video])
    redirect_to :action => :index
  end

  def destroy
    Video.destroy(params[:id])
    redirect_to :action => :index
  end
end

And in the view I'm just displaying it: (in Haml)

- @page_title = 'Video'

#videos
  %ul
    = list_of(@videos) do |video|
      %h1= video.title
      != video.link
      = link_to "Delete", video_path(video), :method => :delete

  = link_to "Add new video", new_video_path

  %p#top
    = link_to 'Go to top ↑', '#'

For the one who don't use Haml, != escapes the string. video.link holds the YouTube embed code

The problem is that, when I create a new video, and when it redirects me back to the index page, the newly created video isn't displayed (the other ones are normally displayed). Only after I refresh the page, it's normally displayed.

I saw in the web inspector that the src attribute is missing from the iframe (so that's why the video isn't displayed). But when I look in the page source, everything is normal there. So, thinking it may be Javascript's fault, I tried disabling it. But nothing changed.

Janko
  • 8,985
  • 7
  • 34
  • 51
  • You wrote `And in the view I'm just displaying it.` -- but that's everything... please add the view code for the iframe or javascript widget you're using – Jesse Wolgamott Jan 27 '12 at 19:20
  • when you get redirected to #index, does the title and/or delete link show? Also, is there any background processing that takes updates the record after it is created? – Jesse Wolgamott Jan 27 '12 at 19:32
  • Is `video.link` the iframe code? You're still not showing the iframe code you're using.... – iwasrobbed Jan 27 '12 at 19:45
  • All of the links are shown. No, there is no background process (there is just one administrator, so I figured there is no need). About the `video.link`, yes, it holds a YouTube embed link, for example `` – Janko Jan 27 '12 at 19:49

1 Answers1

1

I don't think you want to escape it using haml... I think you want to call 

video.link.html_safe

Note: if the user is pasting in the link, this is very unsafe.

Update --- If you have the javascript develop console open, you'll see this error pop up:

**Refused to execute a JavaScript script. Source code of script found within request.**

Check this answer for why it's refusing to due XSS Here's a method that is both safe and works. You'll paste in the youtube ID in the text field: ibWYROwadYs

index.erb

<% if session[:youtube].present? %>
  <iframe width="480" height="360" src="http://www.youtube.com/embed/<%=session[:youtube]%>" frameborder="0" allowfullscreen></iframe>
<% end %>

<%= form_tag load_path do %>
  <%= text_field_tag :youtube_id %>
  <%= submit_tag "Submit" %>
<% end %>

<%= link_to "Clear", clear_path, :method => :delete %>

home_controller.rb

class HomeController < ApplicationController
  def index
  end

  def smth
    session[:youtube] = params[:youtube_id]
    redirect_to :action => :index
  end

  def clear
    session.clear
    redirect_to :action => :index
  end
end
Community
  • 1
  • 1
Jesse Wolgamott
  • 40,197
  • 4
  • 83
  • 109
  • Thanks, I'll keep that in mind. I didn't worry about safety because only an administrator will have access to this. I'm making the website for that person, so I'm just doing a basic CMS. – Janko Jan 27 '12 at 20:21
  • 1
    It didn't work. Sorry, I forgot that I have to tell you that, instead of just not accepting. – Janko Jan 27 '12 at 20:37
  • can you `=debug video.link` ?? that'll tell you if the link is stored in the database or not. – Jesse Wolgamott Jan 27 '12 at 21:19
  • Yes, it's stored in the database (I mentioned that it appears when you just refresh #index after being redirected to it). The problem doesn't happen if I enter custom text instead of a YouTube embed link. I'm 100% sure it has something to do with it being an iframe. Wow, I just tried reproducing the problem in the simplest possible way, making a new rails project, adding a "home" controller, and only changing [this](https://gist.github.com/1691441) code (did it in ERB just in case), and there is still that error. Try to do the similar, and you should get the same. – Janko Jan 27 '12 at 23:10
  • I just found out something interesting. If, instead of a form, I use a simple link to the action which puts the youtube embed link in a session, this problem won't happen. – Janko Jan 27 '12 at 23:39
  • Maybe you didn't see the link above, I linked you a [gist](https://gist.github.com/1691441) which reproduces this error on a new rails application. After pasting that code and runnig the server, just click submit, and watch iframe taking up space, but not displaying. Then try refreshing. What is a remote form? – Janko Jan 29 '12 at 14:43
  • Thank you very much, I get it know :). Since a person will be pasting YouTube embed link, I cannot actually achieve that the iframe isn't sent in the form. But I also found a temporary fix to just substitute double quotes with single quotes when retrieving the new record from the database when I'm redirected back to #index. But now I know why it happens. – Janko Jan 29 '12 at 20:42