I am trying to use the calendar gem in my project (https://github.com/elevation/event_calendar). But when I open the calendar page, it renders the page by showing the html code of the calendar rather than rendering the html. Basically the source for the page generate is like
<div class="ec-calendar">
instead of
.
Can anyone let me know what is going on and how to resolve it.
I assume you are using Rails 3? As a security measure against XSS (Cross Site Scripting), Rails 3 renders html inside of strings as text. If you know the html in your string is safe, call html_safe on it, like
'<div class="ec-calendar">'.html_safe
or
raw '<div class="ec-calendar">'
html_safe I believe, is preferred over raw. Not sure what's different behind the scenes, if anything.
Related
I'm trying to implement redactor as a WYSIWYG editor with ruby on rails. Everything seems to be working fine except that when I edit text in the editor the html tags show up. This happens even when I use the html button on the toolbar.
So on the webpage the text appears something like this:
<p>Edited text here</p>
I haven't included any code because I'm not really sure where to begin looking with this so any help at all will be appreciated :)
when using a text editor you have to tell your rails app that the area is html safe.
This is (by default) not the case as people could attack your site by using a text box you have put into your app.
by declaring an area as html safe you should be able to use the html tags as you like.
be aware of the security risk for using this.
e.g.
<div class="description">
<%= #foo.foo_desc.html_safe%>
</div>
Hope this clears it up for you.
in your view try using raw before the text you are trying to show. For example
<%= raw #post.body %>
this will work out with the html tags and show the processed text only without the tags.
With a grails app and from a local database, I'm returning some text in a xml format.
I can return it well formed in a <textarea></textarea> tag with the correct indenting (tabulation, line return,...etc.)
I want to go a bit further. In the text I'm returning, there are some <img/> tags and I'd like to replace those tag by the real images themselves.
I searched around and found no solution as of now. I understood that you can't add an image to a textarea (other then in a background), and if I choose a div tag, I won't have the indenting anymore (and therefore, harder to read)
I was wondering if using a <g:textField/> or an other tag from the grails library will do the trick. And if so, How can I append them to a page using jquery.
For example, how to append a <g:textField/> in jquery. It doesn't interpret it and I get this error
SyntaxError: missing ) after argument list [Break On This Error]...+doc).append("<input type="text" id="FTMAP_"+nb_sec+"" ...
And in my javascript file, I have
$("#FTM_"+doc).append("<g:textField id='FTMAP_"+nb_sec+"' ... />
Any possible solutions ?
EDIT
I did forget to mention that my final intentions are to be able to modify the text (tags included) and to have a nice and neat indentation so that it is the easiest possible for the end user.
You are asking a few different questions:
1. Can I use a single HTML tag to include images inside pre-formatted text.
No. You will have to parse the text and translate it into styled text yourself.
2. Is there a tag in the grails standard tags to accomplish this for me?
No.
3. How can I add grails tags from my javascript code.
Grails tags are processed on the server-side, and javascript is processed on the client. This means you cannot directly add grails tags via javascript.
There are a couple methods that can accomplish the same result, however:
You can set a javascript variable to the rendered content of a grails tag. This solution is good for data that is known at the time of the initial request.
var tagOutput = "${g.textField(/* etc */)}";
You can make an ajax request for the content to be added. Then your server-side grails code can render the tags you need. This is better for realtime data, or data that will be updated more than once on a single rendered page.
I'm working on a pastebin clone. I need the user to be able to type in HTML without it being used like HTML. For example, my user types "<html> Hello, world! </html>", and the html tags don't appear because the text is being treated like HTML. I do not want this to happen.
I want this to happen to this line:
<%=simple_format(#post.content )%>
How could I accomplish this? I tried using raw and .html_safe and they didn't work.
The SanitizeHelper module provides a set of methods for scrubbing text of undesired HTML elements. These helper methods extend Action View making them callable within your template files.
http://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html
I have MVC 1.0 app on VS2008.
I have webpage that has a search form fields and then when search button clicked uses
Ajax.BeginForm to load results in a div. Works great!
But the results have a pager that just uses an anchor with href passing in page index to controller action.
Of course the same action that is used when the search button is clicked.
So what happens is the results are displayed in new page by themselves. Because the links
are not called using Ajax.
So how can I structure my views and actions so that when a link is clicked in the pager
that the form is submitted to the action as well as the page index for the results??
Do you understand me??
Malcolm
I think I understand what you are saying.
Currently, you're using Ajax to dynamically update your results to a div. Kewl.
The trick here is to make sure each 'page' in the pager has a similar javascript function defined on the onclick event. This way, the pager doesn't do a 'postback' to the server, but the javascript method is ran ... which calls some ajax.
here's some sample html...
<a href="#" onclick="DoPagedSearch(1)>1</a> |
<a href="#" onclick="DoPagedSearch(2)>2</a> .. etc
does this make sence? make sure the pager is NOT inside a form AND notice the '#' characters? that makes sure that when u click on the text, it doesn't try and goto another HTML page, elsewhere.
Do you know how to wire up any javascript to an html element? How do u create the html code for the pager?
try that and keep us posted.
Use jquery to have the page anchors make an ajax call to the controller. Return the results as JSON or xhtml or whatever format makes you feel happy and use that to replace the content of the div, or build up and replace the contents if JSON.
If you haven't dug into jquery, I highly recommend it. The documentation is rather excellent. Let me provide you a few useful links for this:
JSON.net serializer
jQuery Documentation
fair example of using jquery for paging
The example uses an rss feed (xml) as the source, but It should get you going.
I am using FckEditor in Create.aspx page in asp.net mvc application.
Since I need to show rich text in web pages, I used ValidateInput(false) attribute top of action method in controller class.
And I used Html.Encode(Model.Message) in Details.aspx to protect user's attack.
But, I had result what I did not want as following :
<p> Hello </p>
I wanted following result not above :
Hello
How can I show the text what user input?
Thanks in advance
The short answer is that HTMLEncode is making your markup show like that. If you don't HTMLEncode, it will do what you want.
You need to think about whether or not you need full control of markup, who is entering the markup, and if an alternative like BBCode is an option.
If your users using the editor are all sure to be 'safe' users, then XSS isn't likely to be as much a concern. However, if you are using this on a comment field, then BBCode, or something like SO itself uses is more appropriate.
You wont be able to use a WYSIWYG editor and do HTMLEncode though... (without BBCode, or some other token system)
It seems the user entered "<p> Hello </p>" (due to pressing Enter?) into the edit control, and it is displaying correct in the HTML as you have done an Html.Encode. E.g. the paragrahs are not rendered, they are outputted as "<p>..</p>" as the string is HTML encoded into something like "<p> Hello <p>".
If you do not want tags, I would suggest searching the text string for tags (things with <...>) and removing them from the inputted text. Do this before HTML.Encode.
...or am I missing something?
You can use HttpServerUtility.HtmlEncode(String)