I am using Bootstrap tooltips for displaying user generated content. But i also use the option html: true because I want to enable html in the tooltip to be able to use some formatting.
Let's say i have a user content as follows:
<script>alert('e')</script>
It is escaped server side, put into the title attribute of some div, and sent to the browser like this:
<div title="<script>alert('e')</script>">Bla</div>
But the browser will unescape the html entities, and when i call the tooltip function on the div, it will have the following title attribute value:
<div title="<script>alert('e')</script>">Bla</div>
Which will cause the alert to be fired. So what I would need is to escape the content of the title attribute twice, so that it's sent like this:
<div title="<script>alert('e')</script>">Bla</div>
And when tooltip is called, it would still look like this:
<div title="<script>alert('e')</script>">Bla</div>
So the alert would not be executed.
What is the proper way to do this in Rails? Is there something I am missing here? Please don't tell me to use the option html: false of the tooltip module as I need html formatting.
I would try for HTML:
<div title="<%= escape_javascript("<script>alert(\"e\");</script>") %>">Bla</div>
However I wonder why you want to allow users to inject script tags into the tooltips?
Related
I'm attempting to use the inline mode of TinyMCE with an MVC 5 page. I created the HTML content using a TinyMCE editor in the standard mode as follows:
That data is saved back to the database and then retrieved and displayed on a different page. On that page I've set up an instance of TinyMCE to display that content in the inline view as follows:
<div id="myeditablediv">#Model.LongDescription</div>
<script src="~/scripts/tinymce/tinymce.min.js"></script>
<script type="text/javascript">
tinymce.init({
selector: '#myeditablediv',
entity_encoding: 'raw',
inline: true
});
</script>
I'd expected that to show the formatted HTML in a clickable TinyMCE control with no toolbars, but instead it's just showing the raw HTML:
Clicking on the control does switch it into edit mode and the toolbar appears etc:
so it looks like I'm not passing the data to be rendered to the control correctly when setting up the div with <div id="myeditablediv">#Model.LongDescription</div>?
I am guessing that your code is escaping the HTML when inserting it back into the page. I don't know ASP.NET but there is likely something you can do to #Model.LongDescription to have it place the raw HTML into the page.
A quick google search suggest this might be the answer:
#Html.Raw(#Model.LongDescription)
I'm trying to implement redactor as a WYSIWYG editor with ruby on rails. Everything seems to be working fine except that when I edit text in the editor the html tags show up. This happens even when I use the html button on the toolbar.
So on the webpage the text appears something like this:
<p>Edited text here</p>
I haven't included any code because I'm not really sure where to begin looking with this so any help at all will be appreciated :)
when using a text editor you have to tell your rails app that the area is html safe.
This is (by default) not the case as people could attack your site by using a text box you have put into your app.
by declaring an area as html safe you should be able to use the html tags as you like.
be aware of the security risk for using this.
e.g.
<div class="description">
<%= #foo.foo_desc.html_safe%>
</div>
Hope this clears it up for you.
in your view try using raw before the text you are trying to show. For example
<%= raw #post.body %>
this will work out with the html tags and show the processed text only without the tags.
i want add html tags in another html tags attribute like:
<p title="<strong class="cssClass">bold</strong>">
some text
</p>
how i can do this?
Only with encode:
<p title="#HttpUtility.HtmlEncode("<strong class=\"cssClass\">bold</strong>")">
some text
</p>
but you receive:
<strong class="cssClass">bold</strong>
At the Browser, title has a default default behavior and you cannot change this on native way. If you want to format the Title property to do a stylish tooltip, you could use a jQuery plugin to do that. Check this link. It shows lots of plugins to do this work.
My cms is actievadmin and just installed tinymce for editing in the textarea. When i make changes (bold, paragraph tags ect) the page showing raw html. In the DB is stored with the html but is not rendering the html.
Does anyone know what this problem is?
Try replacing the output on your page to something like this:
<%=raw #model.content %>
I want to nest a element inside a form_for label tag. I want to do this so I can target a specific portion of the label with CSS rules, in this case to make the text red. From some quick reading, this does appear to be valid HTML, and it fits with my design even though the idea is not playing happily with Rails.
The desired html output is like this:
<label for="zip">ZIP Code -<span class="required">Required</span></label>
My current code looks like this:
<%= form.label :zip, 'ZIP Code -<span class="required">Required</span>' %>
The problem is that Rails is somehow escaping the inner span tag so that it appears as text on the page instead of HTML. I see this on the page:
ZIP Code -<span class="required">Required</span>
Rails3 automatically escapes strings. You need to call #html_safe on the string you're putting in the label. See http://yehudakatz.com/2010/02/01/safebuffers-and-rails-3-0/ for details.