Originally appeared on Ruby Weekly. #​699 — April 18, 2024 Read on the Web Ruby Weekly Prism in 2024 — Ruby 3.3 included a new standard library called Prism, a Ruby language parser that can be used internally by Ruby itself or as a library by your own code. It’s been a huge effort, and Kevin shares the full story of Ruby parsing (starting all the way back in 1994!) and how Prism is rapidly becoming a key part of the Ruby ecosystem. Kevin Newton Memetria: Secure, Scalable Redis Hosting — High performance Redis hosting with large key tracking, detailed metrics, and a superior uptime  ..read more

Originally appeared on Rémi Mercier. Delegated types are a modelization pattern introduced in Rails in 2020 1. While researching this pattern for a feature, I found that existing articles overly focus on the theoretical comparison between delegated types, STI, and polymorphism. Examples used in these posts are often unrepresentative of the complexity of real-life applications. Today, I want to share a real-world use case. I’ll walk you through my pre-existing domain architecture, the initial requirements, my mistakes, how I eventually used delegated types, what I learned, and my open questions ..read more

Originally appeared on Test Double. tldr: Product management is increasingly prevalent – with everyone from the most prestigious schools to enterprise companies investing in it. The strategic function of product management maximizes revenue potential in several critical areas — including user adoption, time-to-market, risk mitigation, and data-driven decision making. It’s tough to measure product management by traditional ROI measures, because you can’t always quantify benefits like time saved or technical debt avoided. MySpace, Google Glass, Quibi and Vine serve as cautionary tales. Once tit ..read more

Originally appeared on RubyGems Blog. Recently, at RubyGems.org, we’ve encountered an unusual surge of empty packages, triggering an investigation by our team. This influx of pointless gems, referencing one of the reasonably popular packages, hinted at an attempt to manipulate the tea.xyz protocol. As with any potentially risky incident, we delved deeper into the motives and mechanics behind these submissions. This short article contains our investigation, the conclusions we’ve reached, and how, theoretically, individuals looking to abuse the system can distort the idea of rewarding OSS contri ..read more

Originally appeared on RubySec. ### Summary There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. Our filter to detect and prevent the use of the `javascript:` URL scheme in the `href` attribute of an `` tag could be bypassed with tab `\t` or newline `\n` characters between the characters of the protocol, e.g. `java\tscript:`. ### Impact If you render an `` tag with an `href` attribute set to a user-provided link, that link could potentially execute JavaScript when clicked by another user. ```ruby a(href: user_profile) { "Profile ..read more

Originally appeared on Greg Molnar. Phlex is a Ruby gem for building HTML components. Even thought the HTML specification permits the usage of the javascript scheme in the href attribute of an anchor tag, Phlex doesn’t permit it to prevent an accidental XSS. When I had an initial look at the gem around its inception, I didn’t really checked how this filtering works, but a Twitter exchange with Joel reminded me to see if it can be bypassed somehow ..read more

Originally appeared on Rails at Scale. In Ruby 3.3.0, a new standard library was added to CRuby called Prism. Prism is a parser for the Ruby language, exposed as both a C library (optionally usable by CRuby) and a Ruby library (usable as a Ruby gem). The Prism project represents many person-years worth of effort, and is the result of a collaboration between Shopify, CRuby core contributors, other Ruby implementation authors, and Ruby tooling developers. This post provides an overview of the Prism project — why it exists, where it stands today, and what the future holds. It also gives some insi ..read more

Originally appeared on Mike Coutermarsh. This took me a while to figure out. In this file: ~/config/nvim/lua/user/plugins/community.lua You need to add the following line. { import = "astrocommunity.completion.copilot-lua-cmp" }, Then, when you start nvim again. Run `:Copilot auth`. This will trigger the setup and you'll be good to go ..read more

Originally appeared on The Bike Shed. Stephanie is back with a book recommendation: "Thinking in Systems" by Donella Meadows. This book has helped to bolster her understanding of complex systems in environmental, organizational, and software contexts, particularly through user interactions and system changes. Joël describes his transformative experience watching last week's total solar eclipse. Together, they explore how systems thinking influences software development and team dynamics by delving into practical applications in writing and reading code, suggesting that understanding complex sy ..read more

Originally appeared on Alchemists - Articles. Ruby Heredocs Ruby heredocs — or here documents — are a nice way to embed multiple lines of text as a separate document in your source code while preserving line breaks, indentation, and other forms of whitespace. This frees you up from having to concatenate multiple lines of strings which can get cumbersome. Heredocs originate from UNIX as generally found in shell scripting. Heredocs are not specific to the Ruby language, though. Other languages incorporate some form of this syntax as well. For the purposes of this article, we’ll explore t ..read more