I am using the sanitizer in my Rails app. But I would like to allow the tag and style="" inside a tag.
config.action_view.sanitized_allowed_tags = ['font']
config.action_view.sanitized_allowed_attributes = ['style']
Two issues here:
This overwrites all the default tags that are allowed. I would like to add to the list of allowed tags and not substitute the list
It says moved or deprecated, should this worry me? https://apidock.com/rails/ActionView/Helpers/SanitizeHelper/ClassMethods/sanitized_allowed_tags%3D
Related
I am working on a Rails application whose HAML templates frequently make use of a routine called sanitize. I have deduced from context that this routine sanitizes user-controlled HTML. Example:
# views/feed_items/_about.html.haml
%h3 Summary:
.description
= sanitize #feed_item.description
I want to make this routine add 'rel=nofollow' to all outbound links, in addition to what it's already doing. What is the most straightforward way to do that?
N.B. I am not having any luck finding the definition of this method, or the official configuration knobs for it. The vendor directory has two different HTML sanitizer gems in it and I can't even figure out which one is being used. This is a large, complicated web application that I did not write, and I barely understand Ruby, let alone all of Rails' extensions to it. Please assume I do not know any of the things that you think are obvious.
The sanitizer will strip out the rel tags if they exist.
I ran into a similar issue and added an additional helper method - clean_links to the ApplicationHelper module, and called it after sanitizing the content.
# application_helper.rb
def clean_links html
html.gsub!(/\\2')
html.html_safe
end
This method looks for all <a> tags, and adds rel="nofollow". The html_safe method is necessary or else the HTML will be displayed as a string (it's already been sanitized).
This solution treats all links equally, so if you only want this for links pointing outside the domain, you'll have to update the REGEX accordingly.
In your view: <%= clean_links sanitize(#something) %>
So, first the content is sanitized, then you add the rel="nofollow" tag before displaying the link.
Actually there's a built-in way:
sanitize "your input", scrubber: Loofah::Scrubbers::NoFollow.new
I'm building an application that has a HTML GUI interface to create, move and edit boxes (div) inside a container div. These boxes get assigned inline styles when editing, these inline styles are saved to the database and are output in the views:
<%= sanitize raw(#slide.content) %>
I want to sanitize the HTML itself, to avoid someone hacking in, for instance, a script tag, through sending that by editing what's sent to the server when the boxes are saved.
Rails 4 has a helper method sanitize available through the class ActionView::Helpers::SanitizeHelper. When I use this with a test content value that contains a malicious <script> tag, the script gets removed just fine. But sanitizing the content also strips CSS properties inside the style tag that are necessary for the boxes, like top, left, position, etc.
In the linked documentation, it's stated that sanitize will automatically use the function sanitize_css when it comes across a style attribute:
sanitize_css(style)
Sanitizes a block of CSS code. Used by sanitize when it comes across a style attribute.
I do not want this behaviour of sanitize. How can I disable sanitize using sanitize_css, to sanitize the HTML, but not the CSS?
You can allow any attributes and tags you need, so rails will skip them.
sanitize raw(#slide.content), tags: %w(table tr td ul li), attributes: %w(style href title)
Speaking about CSS rules themselves, it's a bit harder to allow additional rules, but still possible. You can monkey patch the HTML::WhiteListSanitizer class (https://github.com/rails/rails/blob/c71c8a962353642ee44b5cc6ed68dc18322eea72/actionpack/lib/action_view/vendor/html-scanner/html/sanitizer.rb). There are several attributes that can help.
In your config/application.rb file:
config.action_view.sanitized_allowed_tags = nil
config.action_view.sanitized_allowed_attributes = nil
safe lists found here: loofah html5 safelist
Using Struts2, my goal is to present a simple blog to a user using Struts2 iterators, such as:
Most Recent Topic
response 1
response 2
...
Previous Topic
response 1
response 2
...
Users generate and submit each Topic/Response using a separate form, but, once submitted, I don't want them to edit the blog.
To generate either a Topic or a Response, I provide an editor (like the stackoverflow editor I'm using now) that produces html-formatted text, including whatever styling (bold, underlines, lists, etc.) that the user chooses. The text of the Topic/Response created by the user, including the html tags, is stored in a database.
However, I cannot find a way to render the Topic/Response as html in the blog. For example, text bolded in the editor shows up as <strong>text</strong> in a struts2 s:textarea tag.
I know that the s:property tag has an 'escapeHtml' attribute that will prevent this, but the s:property tag can't layout the text properly, and it seems that only the s:property tag has this attribute.
I've tried using <input value="%{#topic.content}" /> within the iterator instead of s:textarea, but it doesn't seem to recognize the #topic iteration reference.
Is there a way to do this?
use text instated of tax area .Let me know if you still facing this issue.
Use escapeHtml="false". I just tried it myself and it works as intended.
For example, with:
<s:set var="var1"><p>some stuff</p><p>other stuff</p></s:set>
<s:property value="var1" escapeHtml="false" />
renders the paragraph tags as you would expect.
How about using <pre> with <s:property>.
About html <pre> tag:
http://www.w3schools.com/tags/tag_pre.asp
I'm developing a lot of RadiantCMS applications, and this CMS uses custom radiant tags which are translated to content and html at runtime. So, my HTML templates have a markup like this:
<body>
<div class="content">
<r:content />
</div>
...
</body>
This is all fine, but Rubymine complains about all the <r:content /> tags being invalid html. The effect is that my html-templates are loaded with error-notifications.
I know that you can customize the Rubymine Inspections, and allow Custom HTML Tags, but there are almost unlimited <r:... /> tags available. To add all possibilities in the customtags field would be hours of work and not very flexible, because new tags come and go by the month.
What I want to do is pass in a wildcard for the r: so that all those tags are allowed as valid html tags. I tried some REGEX options but gave me no results.
Does anyone have experience with Rubymine Inspections and how to overcome this issue?
There is a feature to define inspections per Scope. You can add a new Scope for all your project files except these template files (they can be excluded either by directory or name pattern). Then in the Inspection settings you can add this scope and configure the inspection reporting invalid HTML tags to trigger only in the custom scope, not for all the files. As your templates with <r:... /> are excluded from this scope, inspection will not report such files.
It's not ideal, as it will not report other possibly invalid tags in the template files, but right now there is no way to ignore tags by pattern, but you can submit a feature request.
I'd like to have a link generated with BlueCloth that opens in a new window. All I could find was the ordinary [Google](http://www.google.com/) syntax but nothing with a new window.
Ideas?
Regards
Tom
Here is a complete reference for markdown: http://daringfireball.net/projects/markdown/syntax
And since there is no mention of how to set the target attribute, I would believe it is not directly possible, but the reference also says:
For any markup that is not covered by
Markdown’s syntax, you simply use HTML
itself. There’s no need to preface it
or delimit it to indicate that you’re
switching from Markdown to HTML; you
just use the tags.
Source: http://daringfireball.net/projects/markdown/syntax#html
So I would suggest you have to use the html syntax for links like this
update
if you wrap the markdown generated content in a div with a specific id like this:
and you use jQuery, you can add the following javascript:
$('#some_id a').attr('target','_blank');
Or you can save the BlueCloth output in a variable before outputting.
markdown_generated_string.gsub!(/<a\s+/i,'<a target="_blank" ')