I have an video_link attribute.
When a User creates a Listing he can enter a Code (e.g. aabbcc).
I want to render this code inside my iframe link, like so
<iframe src="https://mywebsite.com/aabbcc/"></iframe>
So i tried
<iframe src="https://mywebsite.com/#{#vine.video_link}/"></iframe>
But this didn't work,
What am i doing wrong ?
I'm Getting no Error, but if i inspect the iframe on Page, the Interpolation is not rendering. im seeing just #{#vine.video_link}
Thank you
Oh! I get it... change it to:
<iframe src="https://mywebsite.com/<%= #vine.video_link %>/"></iframe>
You only need to do interp. like that if it's inside ruby code. In this case you're not escaping a string in ruby, you're just putting it in HTML (view).
Example.
If you were in a controller, let's say and had a string that looked like
variable = "<iframe src='https://mywebsite.com/#{#vine.video_link}/'></iframe>"
Edit to correct bad copy/paste job.
Related
So this might sound silly but I'm really stuck. I have an HTML a tag in my cshtml layout view that is supposed to redirect to another cshtml view page. Despite trying different ways to generate the correct path, clicking on the link still returns 404 not found. Can someone please help me with this?
I realized I need to have a method in the controller for every view. Didn't know that before. It's working fine now. :)
You can use the asp-page tag helper to route to another page.
Below is an example:
<td><a class="text-info" asp-page="NameOfPageYouWantRoutedTo" asp-route-id="#Model.ID">#Model.ID</a></td>
Depending on where your new cshtml page is you may have change the filepath, but this should get you close. The asp-route-id tag helper would link whatever value of the link to the new page. Delete that tag helper if not needed.
This is a pretty good link on tag helpers that would be useful for what you're trying to accomplish.
I have comments section in my application where users enter input in a text area. I want to prevent the line breaks they enter but also display html as a string. For example, if comment.body is
Hello, this is the code: <a href='foo'>foo</a>
Bye
I want it to be displayed just as above. The same with anything else, including iframe tags.
The closest I got is:
= simple_format(comment.body)
but it sanitizes html code and it's not displayed. Example: foo <iframe>biz</iframe> bar is displayed as:
foo biz bar
What should I do to achieve what I want?
Just use it without any method, it will be rendered as plain text:
= comment.body
Using your second example, the output will be:
foo <iframe>biz</iframe> bar
To make \n behave as <br>, you can use CSS:
.add-line {
white-space: pre-wrap;
}
And use it in your view:
.add-line = comment.body
Using your first example:
comment.body = "Hello, this is the code: <a href='foo'>foo</a>\n\nBye"
The output will be:
Hello, this is the code: <a href='foo'>foo</a>
Bye
Having done something similar in the past, I think you must first understand why HTML is sanitized from user input.
Imagine I wrote the following into a field that accepted HTML and displays this to the front page.
<script>alert('Hello')</script>
The code would execute for anyone visiting the front-page and annoyingly trigger a JS alert for every visitor.
Maybe not much of an issue yet, but imagine I wrote some AJAX request that sent user session IDs to my own server. Now this is an issue... because people's sessions are being hijacked.
Furthermore, there is a full JavaScript based exploitation framework called BeEF that relies on this type of website exploit called Cross-site Scripting (XSS).
BeEF does extremely scary stuff and is worth taking a look at when considering user generated HTML.
http://guides.rubyonrails.org/security.html#cross-site-scripting-xss
So what to do? Well if you checked in your DB you'd see that the tags are actually being stored, but like you pointed out aren't displayed.
You could .html_safe the content, but again I strongly advise against this.
Maybe instead you should write an alternative .html_safe method yourself, something like html_safe_whitelisted_tags.
As for removing newlines, you say you want to display as is. So replacing /n with <br>, as pointed out by Michael, would be the solution for you.
comment.body.gsub('\n', '<br />').html_safe_whitelisted_tags
HTML safe allows the html in the comment to be used as html, but would skip the newlines, so doing a quick replace of \n with <br /> would cover the new lines
comment.body.gsub("\n", "<br />").html_safe
If you want the html to be displayed instead of rendered then checkout CGI::escapeHTML(), then do the gsub so that the <br /> does not get escaped.
CGI::escapeHTML(comment.body).gsub("\n", "<br />")
I have a URL from a third party site which should be the source of a script tag, something like this:
<script src="<%= #url %>"></script>
The above code shows a webform.
I would like to get the html code resulted by that code and store into a variable, something like this :
html_code = get_html('<script src="<%= #url %>"></script>')
Is that possible using Ruby/Rails (maybe using nokogiri) ?
If you're using jQuery in the browser and that code shows up in a well defined location, for example a <div> with a specific id then you can just grab it using your browser's JavaScript console:
$('#the_id').html()
That will show the raw HTML of that element presuming it dumps its content in an element with the ID the_id. You can use whatever CSS selector works.
Where that HTML goes in your document is impossible to tell from your example. A <script> can add any elements it wants anywhere in your document. You'll have to look around to see where it goes.
Load the page into a browser and then do View/Source in the browser. This will let you view the generated web page and you can find what URL was put into the <script> tag.
I'm working on a pastebin clone. I need the user to be able to type in HTML without it being used like HTML. For example, my user types "<html> Hello, world! </html>", and the html tags don't appear because the text is being treated like HTML. I do not want this to happen.
I want this to happen to this line:
<%=simple_format(#post.content )%>
How could I accomplish this? I tried using raw and .html_safe and they didn't work.
The SanitizeHelper module provides a set of methods for scrubbing text of undesired HTML elements. These helper methods extend Action View making them callable within your template files.
http://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html
I am trying to use the calendar gem in my project (https://github.com/elevation/event_calendar). But when I open the calendar page, it renders the page by showing the html code of the calendar rather than rendering the html. Basically the source for the page generate is like
<div class="ec-calendar">
instead of
.
Can anyone let me know what is going on and how to resolve it.
I assume you are using Rails 3? As a security measure against XSS (Cross Site Scripting), Rails 3 renders html inside of strings as text. If you know the html in your string is safe, call html_safe on it, like
'<div class="ec-calendar">'.html_safe
or
raw '<div class="ec-calendar">'
html_safe I believe, is preferred over raw. Not sure what's different behind the scenes, if anything.