I have some HTML-encodet text in a database, and when I retrieve it I HTML-decode it. The problem is that the HTML tags are not interpreted, but displayed.
If I have the following paragraph:
<p>
Hello World</p>
It will output:
<p> Hello World </p>
I output the code as following:
#Server.HtmlDecode(Model.Message)
What simple thing might I be missing?
You are missing the Html.Raw helper:
#Html.Raw(Model.Message)
Make sure that you have sanitized the input before since the Html.Raw helper will output the HTML as-is without encoding.
Related
I have comments section in my application where users enter input in a text area. I want to prevent the line breaks they enter but also display html as a string. For example, if comment.body is
Hello, this is the code: <a href='foo'>foo</a>
Bye
I want it to be displayed just as above. The same with anything else, including iframe tags.
The closest I got is:
= simple_format(comment.body)
but it sanitizes html code and it's not displayed. Example: foo <iframe>biz</iframe> bar is displayed as:
foo biz bar
What should I do to achieve what I want?
Just use it without any method, it will be rendered as plain text:
= comment.body
Using your second example, the output will be:
foo <iframe>biz</iframe> bar
To make \n behave as <br>, you can use CSS:
.add-line {
white-space: pre-wrap;
}
And use it in your view:
.add-line = comment.body
Using your first example:
comment.body = "Hello, this is the code: <a href='foo'>foo</a>\n\nBye"
The output will be:
Hello, this is the code: <a href='foo'>foo</a>
Bye
Having done something similar in the past, I think you must first understand why HTML is sanitized from user input.
Imagine I wrote the following into a field that accepted HTML and displays this to the front page.
<script>alert('Hello')</script>
The code would execute for anyone visiting the front-page and annoyingly trigger a JS alert for every visitor.
Maybe not much of an issue yet, but imagine I wrote some AJAX request that sent user session IDs to my own server. Now this is an issue... because people's sessions are being hijacked.
Furthermore, there is a full JavaScript based exploitation framework called BeEF that relies on this type of website exploit called Cross-site Scripting (XSS).
BeEF does extremely scary stuff and is worth taking a look at when considering user generated HTML.
http://guides.rubyonrails.org/security.html#cross-site-scripting-xss
So what to do? Well if you checked in your DB you'd see that the tags are actually being stored, but like you pointed out aren't displayed.
You could .html_safe the content, but again I strongly advise against this.
Maybe instead you should write an alternative .html_safe method yourself, something like html_safe_whitelisted_tags.
As for removing newlines, you say you want to display as is. So replacing /n with <br>, as pointed out by Michael, would be the solution for you.
comment.body.gsub('\n', '<br />').html_safe_whitelisted_tags
HTML safe allows the html in the comment to be used as html, but would skip the newlines, so doing a quick replace of \n with <br /> would cover the new lines
comment.body.gsub("\n", "<br />").html_safe
If you want the html to be displayed instead of rendered then checkout CGI::escapeHTML(), then do the gsub so that the <br /> does not get escaped.
CGI::escapeHTML(comment.body).gsub("\n", "<br />")
I have created a blog in rails. I'm a beginner and got quite far, but now I'm stuck with a seemingly minor detail: I can't seem to format the posts (articles).
Here's the relevant part of my show.html.erb:
<p>
<strong>Content:</strong>
<%= simple_format (#article.content) %>
</p>
When I write something and insert html-tags, they are not recognized as such. What am I doing wrong?
Rails will automatically remove html tags to prevent someone from injecting code into your webpage (e.g. malicious javascript)
If your users cannot enter data into #article.content and it's always safe then you can flag it as safe usng the html_safe method.
<%= (simple_format (#article.content)).html_safe %>
Can you post the article content for reference? If I had to guess, I'd imagine Rails is escaping the html tags and inserting them as plain text (so the output looks like: Article content !
Take a look at Rails' helper methods like content_tag (http://apidock.com/rails/ActionView/Helpers/TagHelper/content_tag) and concat (http://apidock.com/rails/ActionView/Helpers/TextHelper/concat) and consider using those to help with generating the appropriate html tags.
An issue to be concerned with is who's going to be supplying the content. For example, if you're writing an application that other people will use, you want to make sure any html give you is escaped to avoid XSS attacks. In that case, you'll want to spend some time reading about how to properly sanitize user input.
You can now specify the tag it gets wrapped in (defaults to p) like so:
<%= simple_format (#article.content, {}, wrapper_tag: "div") %>
or
add white-space: pre-line style.
It will display \r or \n (enter) in user input as a new line.
for more info:
http://apidock.com/rails/v4.0.2/ActionView/Helpers/TextHelper/simple_format
Realized that if I put HTML code in a rails text area, it will output the html.
For instance:
<b> Hello </b>
outputs as:
Hello
I thought rails 3 text inputs automatically escape HTML but whenever I output #variable.textarea, it still shows the bold text. Is it being selective about what HTML to input? And how do I make sure all HTML is always escape when I output the content of my textarea?
Thanks!
If <b>hello</b> comes out as hello, that means HTML escaping is already prevented.
Since you don't want users to be able to use HTML in their inputs, you want HTML to be escaped, so that <b>hello</b> comes out as <b>hello</b>.
In a Rails 3 app, html automatically gets escaped - but you can explicitly escape it using the h method:
<%= h my_string %>
I am using the Rinku rails gem to make URLs linked in any content posted on my website.
I've installed and implemented it but the problem is that the HTML code shows in the view.
Here's a code that I'm using
<%= truncate(Rinku.auto_link(feed_item.content), :length=>400, :omission=>' ...(next page)') %>
Here's a sample output view on my website
hey guys check out my website at www.someURL.com
As you can see, the HTML <a> tags show. What does feed_item.content should be change to for this to work correctly?
Feed_item.content is a text, not a string. It appears that Rinku parses string. Is that the cause of the issue?
The issue is that by default, Rails will escape any html in a string you output in erb (using <%= %>) as a precautionary measure. (If you look at the page source, you should see that your output looks like <a ...> instead of <a ...>.)
To stop this from happening, you can use the .html_safe method to mark that the string is safe to print as html:
<%= truncate(...).html_safe %>
I want to nest a element inside a form_for label tag. I want to do this so I can target a specific portion of the label with CSS rules, in this case to make the text red. From some quick reading, this does appear to be valid HTML, and it fits with my design even though the idea is not playing happily with Rails.
The desired html output is like this:
<label for="zip">ZIP Code -<span class="required">Required</span></label>
My current code looks like this:
<%= form.label :zip, 'ZIP Code -<span class="required">Required</span>' %>
The problem is that Rails is somehow escaping the inner span tag so that it appears as text on the page instead of HTML. I see this on the page:
ZIP Code -<span class="required">Required</span>
Rails3 automatically escapes strings. You need to call #html_safe on the string you're putting in the label. See http://yehudakatz.com/2010/02/01/safebuffers-and-rails-3-0/ for details.