DEV Community

Lucian Ghinda
Lucian Ghinda

Posted on • Edited on • Originally published at allaboutcoding.ghinda.com

Using Cursor IDE for some small changes in a Rails app

Path of my learning path about how to use AI/LLMs to augment my developer productivity I started using www.cursor.so

Here let me show you how I made two changes to the rubyandrails.info website.

Replacing a form with a Phlex component

The first task that I asked was about replacing an HTML with a component. To achieve this in Cursor (MacOS edition) you have to select the text and then press CMD+K. Then a pop-up will appear where you can ask your question (or write your prompt) like this:

Asking Cursor to refactor code

After submitting Cursor (that uses GPT4 in this case under the hood) will make a diff for the selected code and ask you to accept it or not:

The response from Cursor IDE

I like this idea that it proposed a diff because I can review it and check if it is correct or not.

This was a small change and I was happy with the result. I did a lot more replaces like this but I did not use Cursor LLM for this.

My conclusion is that for this very small case, writing the prompt and reviewing the change is much more effort than directly writing the code myself and the return on investment is small. It does not even contain any new insights or something to learn for me.

What I would like (and maybe Cursor knows this but I am just starting to use it) is to ask to replace all forms like that with the component. I will still need to review the code because the risk would be to replace a code that looks like that but it is not the same search functionality.

A small security PR

Next, I moved from the Edit with LLM functionality to Chat with LLM functionality that Cursor IDE offers.

Looking at the source code I noticed the following code, which I think it is a security risk.



<strong>Search Term: </strong><%= params[:search_term] %>


Enter fullscreen mode Exit fullscreen mode

Thus I asked the following to the Cursor chat:

GPT4 prompt to ask for security analysis

One advantage I found while using Cursor chat is that it makes it easy to reference open files in a prompt.

Notice that I opened _index_nav.html.erb and reference it in my prompt with @_index_nav.html.erb and Cursor read the content to provide it to GPT4. The same can be achieved by selecting the text and pressing CMD+L will add the code itself as the context in the chat. By the way with CMD+L you can add multiple pieces of code from multiple files (but we will explore that in another article).

Here is the response:

Response from Cursor chat

What I notice in the response is that indeed h is an alias for html_escape but the response is a bit outdated. Since Rails 3.0 there is no need to escape with h because:

  • You no longer need to call h(string) to escape HTML output, it is on by default in all view templates. If you want the unescaped string, call raw(string).

The response, although it won't break anything, is also unnecessary. Furthermore, since this information is from Rails 3.0, GPT-4 should already be aware of it.

I followed up with this question:



In this context is `html_escape` or `h` enough to mitigate 
the security risk of displaying an URL parameter provided 
by the user inside an ERB file?


Enter fullscreen mode Exit fullscreen mode

Here is the response:

GPT4 response about using html_escape

As I mentioned, the response is logical, but in this specific case for rendering the user input in the view via <%= %> it is not needed to call h as it is already escaped by default.

I still decided to extract into a component the display of the search and thus have it ready for further UI improvements across all pages.

You can see the PRs that I implemented with the cursor at:

Some temporary conclusions

I used very simple prompts. Almost no context was given except for the ruby files or code itself. Nor did I ask for some proper follow-ups to nudge it in the desired direction. There was also no instruction about what a good code looks like for me.

I already had a good idea of what to look for thus, it was easy to know when a result was what I expected and when it was not

The changes that I made were small thus, it was easy to assess the code.

One challenging task is to determine if a response is up-to-date, as demonstrated by the interaction about escaping the parameter.


Enjoyed this article?

Join my Short Ruby News newsletter for weekly Ruby updates. For more Ruby learning resources, visit rubyandrails.info. You can also find me on Ruby.social or Linkedin

Top comments (0)