I have a text_area tag which allows the user to enter his Bio. When a user is tyoing and if he hits enter or return, a new line starts. But when he saves his input all the text is displayed in one paragraph. I want functionality similar to what stack overflow has.
For example - I hit enter now
This text appears on a new line*
How can I do this?
This is my code in Rails:
<%= form_for :profile do |profile| %>
<%= profile.text_area :bio %>
<%= f.submit "Save Bio" %></p>
<% end %>
You should use text editor for example ckeditor (to simplify web content creation), and in view try simpleformat or raw:
<%= simple_format("Here is some basic text...\n...with a line break.") %>
<%= raw("Here is some basic text...<br/>...with a line break.") %>
There are many ways to handle this. When displaying text previously inputed in text area you can:
replace newline characters with <br/> tags
use <pre> tag and display text inside that tag
split text by newline characters and then wrap each of the chunks into <p> tags
When using approach 1 or 3, make sure to pass text through raw helper, so that any tags within text are displayed. Be aware though, that user may pass arbitrary html inside the textarea, hence your code may be subject to xss attacks.
Related
I have a text_area in my rails app where users can paste plain text or code. I really don't want to ask the user to choose text or code for me but want to make it like a WYSWYG text area
Right now I use pre tag. This renders code comments ok but makes text comments look visually ugly.
I can use a syntax highlighting gem, but this requires me to know that the pasted text is code.
Q: Is there any inbuilt apis in rails/ruby to validate if the value in a text area is code or text?
<% if !comment.content.blank? %>
<p> <pre> <%= simple_format comment.content %></pre> </p>
<% end %>
You can instruct the user to wrap the code section around a specific keyword..for instance {code}
then in your template you can extract and decorate the the code section:
<p> <pre><%= comment.content.scan(/{code}(.*?){code}/m) %></pre></p>
In my form, I used the span tag like the following:
<%= content_tag :span, f.object.User, class: 'username' %>
It looks like the following in HTML after i selected the value:
<span class="user" style="">Antony</span>
The problem is id doesn't get the value to the database when we create a form. I don't know the exact problem is. I want to use this content tag instead of text_field to get the value.
Thanks.
When you submit an HTML form, the only values that get POSTed are those that are in input fields such as text fields, selects, checkboxes, buttons, etc. Content that is simply on the page -- in a span or not -- will not get posted back to the server. That isn't a Rails issue, it's just the way HTML works.
I'm not exactly sure what you're trying to do here, but a common approach when you want to display a value (not in an input box) and also post the value back with the form, is to both render the value on the page (in a span or however you want) and also add a hidden input field (hidden_field_tag) that also has the value in it.
Yeah, Jacob is correct. Better create a hidden field
<%= f.hidden_field :user, class: 'user' %>
<%= content_tag :span, f.object.User, class: 'username' %>
The first line get the value in it. I hope, Jacob answer would help you. :)
I'm trying to show the contents of a field from the database in a <p> element. In the html.erb template the code looks like:
<p><%= front.gsub(/(\r)?\n/, "<br>") %></p> ...
The issue I'm having is that to escape the breaks, I have to apply the .html_safe method at the end of the above gsub, but doing so opens the whole application to XSS attacks. How can I only allow the breaks to be escaped?
You can use the simple_formatmethod.
<%= simple_format(front) %>
More here => http://api.rubyonrails.org/classes/ActionView/Helpers/TextHelper.html#method-i-simple_format
This is based on the simple_format helper. We can use sanitize to remove bad tags that allow XSS attacks.
<%= sanitize(front).gsub(/(\r)?\n/, "<br/>").html_safe %>
You can also use strip_tags if you want to remove all HTML tags before replacing new lines with <br>.
<%= strip_tags(front).gsub(/(\r)?\n/, "<br/>").html_safe %>
Have you considered wrapping the text into <pre>-tags instead? That will keep the basic formatting (newlines, spaces, ...).
I store the linebreaks as "line\n\nline" in the database.
When i am displaying it, I convert it using this method:
def showLineBreaks(from_textarea)
from_textarea.gsub(/\n/,"<br/>")
end
But these renders the text as
line<br><br>line
instead of showing the linebreaks.
What is the right way to do this?
You probably need to flag your content as html_safe for it to display properly, otherwise the view will render it as the string should be displayed.
<%= showLineBreaks.html_safe %>
If you're trying to display newlines saved from text areas, you could do the following in your view:
<%= simple_format from_textarea %>
No need to do manual substitution in this case.
I need to display user comments, omitting HTML to prevent attacks (when custom styled elements can be posted as comments)
The only thing, i would like to keep by displaying - is tag
I displaying the comment in this way:
<p class="content"><%=h comment.content.gsub(/\n/,"<br/>") %></p>
Comment is suppossed to be saved in database without any markup
Line ending are converted to "br" tags
But, sure, they are gone, because of =h output mode.
Is there a way to kill all html, except "br" tags ?
You could either use sanitize which keeps only specified HTML tags:
<%= sanitize comment.content.gsub(/\n/,"<br/>"), :tags => ['br'] %>
or (in your case preferably) change the order of both and do the html_escape yourself:
<%= html_escape(comment.content).gsub(/\n/,"<br/>") %>
I'd recommend to use white_list plugin. It's safety for XSS attacts and you will be able to control list of allowed tags