I am making a web app that integrates the Ace online IDE. A user enters an input through the Ace IDE which is then stored in a database. But when that is then rendered from the database Rails has done some sort of sanitization and the HTML tags are not loaded.
How do I explicitly tell Rails to leave all HTML tags in the tags and not format it (includes tabs and spaces)?
EDIT:
This is what the user inputs:
And this is what it outputs:
Try the raw method. This method outputs without escaping a string
you have to append .html_safe to any string you're returning to the view. By default Rails doesn't trust anything the user might have created.
So
<%= #my_source_code_from_the_db %>
Becomes
<%= #my_source_code_from_the_db.html_safe %>
As #Sam_D mentioned, another option is to wrap your string in a call to raw:
<%= raw(#my_source_code_from_the_db) %>
Turns out it was because I was using simple_format() when I removed that and just simply called <%= #lesson.lesson_content %> it rendered perfectly.
Related
I would like to display the output of "rake:about" inside a Rails view.
Or all equivalent data into a view.
Is it feasible ?
rake about is merely outputting the value of Rails::Info.to_s to stdout. You can thus use this data directly from Rails without invoking rake (neither inline nor via a shellout):
<%= Rails::Info.to_s %>
Since the data is intended for display in a text console, it is not directly suitable for HTML output. You can make it more readable by requesting HTML output with
<%= raw Rails::Info.to_html %>
or by just wrapping the whole block in <pre> tags so that it is shown similar to how it would look on the console:
<pre>
<%= Rails::Info.to_s %>
</pre>
Finally, if you want to format the details yourself, you can get the raw properties shown by Rails::Info as an array of arrays with
Rails::Info.properties
You can use Backticks to execute system command. So inside view it would look like:
<%= `rake about` %>
I have created a blog in rails. I'm a beginner and got quite far, but now I'm stuck with a seemingly minor detail: I can't seem to format the posts (articles).
Here's the relevant part of my show.html.erb:
<p>
<strong>Content:</strong>
<%= simple_format (#article.content) %>
</p>
When I write something and insert html-tags, they are not recognized as such. What am I doing wrong?
Rails will automatically remove html tags to prevent someone from injecting code into your webpage (e.g. malicious javascript)
If your users cannot enter data into #article.content and it's always safe then you can flag it as safe usng the html_safe method.
<%= (simple_format (#article.content)).html_safe %>
Can you post the article content for reference? If I had to guess, I'd imagine Rails is escaping the html tags and inserting them as plain text (so the output looks like: Article content !
Take a look at Rails' helper methods like content_tag (http://apidock.com/rails/ActionView/Helpers/TagHelper/content_tag) and concat (http://apidock.com/rails/ActionView/Helpers/TextHelper/concat) and consider using those to help with generating the appropriate html tags.
An issue to be concerned with is who's going to be supplying the content. For example, if you're writing an application that other people will use, you want to make sure any html give you is escaped to avoid XSS attacks. In that case, you'll want to spend some time reading about how to properly sanitize user input.
You can now specify the tag it gets wrapped in (defaults to p) like so:
<%= simple_format (#article.content, {}, wrapper_tag: "div") %>
or
add white-space: pre-line style.
It will display \r or \n (enter) in user input as a new line.
for more info:
http://apidock.com/rails/v4.0.2/ActionView/Helpers/TextHelper/simple_format
I am using the Rinku rails gem to make URLs linked in any content posted on my website.
I've installed and implemented it but the problem is that the HTML code shows in the view.
Here's a code that I'm using
<%= truncate(Rinku.auto_link(feed_item.content), :length=>400, :omission=>' ...(next page)') %>
Here's a sample output view on my website
hey guys check out my website at www.someURL.com
As you can see, the HTML <a> tags show. What does feed_item.content should be change to for this to work correctly?
Feed_item.content is a text, not a string. It appears that Rinku parses string. Is that the cause of the issue?
The issue is that by default, Rails will escape any html in a string you output in erb (using <%= %>) as a precautionary measure. (If you look at the page source, you should see that your output looks like <a ...> instead of <a ...>.)
To stop this from happening, you can use the .html_safe method to mark that the string is safe to print as html:
<%= truncate(...).html_safe %>
I have a Rails Model called Events which has as field/attribute called :description.
I migrated it under the type t.text rather than t.string since I was going to be displaying a large amount of data.
So.... Now I'm at the point where I would like to display <%= #event.description %> in a neat way and would like to break up some of the sentences rather than one large block of information.
I was hoping I could insert <p> or other html codes to help with how the text is displayed.
The problem is inserting <p> into the field only prints <p> and the not desired action of the html command.
How can I add html styling to the text attribute?
You can use <%=raw #event.description %> to echo unescaped content. Be aware that this is a potential XSS security hole, if users can ever affect that content. I highly recommend using the sanitize helper to strip out any unwelcome markup before you write it out.
It strictly depends on how you print it. In particular, if you print with calling h function (<%= h my_text =>), output will be sanitized and html escaped.
It may also depend on your rails version: I've head in Rails 3 html is escaped by default, even if you don't use h.
I recently made a small rails3 app to convert an old cms written in another language. After migrating the content I am having problems outputting content from the database.
The #content.desc field sometimes has html. Currently the only way I could get it to work was:
<%= sanitize content.desc %>
But is this the best way? When I use <%=h #content.desc %> I can see the html tags still. When I use <%= simple_format #content.desc %> I get wicked spacing.
Is there a definitive guide somewhere where I can see all of the options while outputting content? I've tried to search but can't turn anything up (rails newb, i know).
Any string not marked as "safe" will be HTML-escaped by default in Rails 3. Some methods, such as sanitize, h, link_to and many other helpers return safe strings, thus allowing them to be written literally. See this blog post for more info.
If you know for sure that the HTML contained in #content.desc is safe, you can mark it as such yourself like so: <%= #content.desc.html_safe %>.
Rails 3 has changed HTML sanitisation to be enabled by default. If you're sure that the string you're rendering is safe, you can use
<%= #content.desc.html_safe! %>
Unless I'm mistaken, you shouldn't have to sanitize the content before displaying it, as Rails 3 does that by default. More info here: http://yehudakatz.com/2010/02/01/safebuffers-and-rails-3-0/