I'm not such a fan of using datetime_select. I think it renders ugly and isn't easy to deal with on post back.
How do most people deal with it? Wouldn't it be easier to use a plain textbox and use javascript to validate the input as a date? I will be persisting it as a DateTime value.
I used a text box with a jquery datepicker and all was well in the universe.
Related
Experimenting with my Rails form, I find that inserting <scrip>alert("hello")</script> into a text_field gives me two different results.
When I use the value, for example in a display page, it is automagicaly escaped.
When I use the value in a new form, for example to allow user editing, it is not escaped and I get the alert pop-up.
After a lot of research, I have found that text_area has an escape boolean that prevents this, but not text_field. Most of the stuff coming up on google is about escaping within erb templates, which does not appear to work when using a form. There are a couple of hints that data should be sanitized going into the db, but little guidance on the best way to do this --- aside from using old solutions for example xssterminate which appears to date back to Rails 2. Even the RoR security guide focuses on sanitizing erb output rather than santizing the input.
Two questions.
What is the current best-practice approach to sanitizing text_field input before it is saved? (eg: in the form, the controller or the model. What gems are still considered current?)
Regardless, because I am paranoid, how do you sanitize the text_field when displaying db data?
The loofah-activerecord gem (https://github.com/flavorjones/loofah-activerecord) looks like your best bet for sanitizing data on its way into the database. Using xss_foliate on your models will strip tags for all columns by default.
e.g.
class User < ActiveRecord::Base
xss_foliate
...
end
I haven't found a solution to the 2nd point, but would be very keen to know about it if there is one!
I am using the date_field_tag.
<%= date_field_tag :date_from, value = nil, options = {} %>
The date picker is displayed in English, with the machine locale set to is.I am wondering if it is possible to translate the date picker text using I18n.t? Or is this not possible since the date picker is provided by the browser?
The Rails helper date_field_tag generates an input field with a type of "date", but it's not a widely supported field type. You can either let the browser render the field and hope for the best, or use a polyfill to provide support for users who don't have a browser with the functionality. You could also use something like the jQuery UI datepicker for everybody, regardless of whether the browser supports date fields or not.
Your options for translating the control depend on which approach you take. If the browser is drawing the calendar widget, you can't control the language it uses. If you're providing a calendar widget via JavaScript, then you can - it's just HTML, after all. jQuery's datepicker provides a lot of localisation options.
You can try out how your browser displays native date-related fields in this JSFiddle.
is there any way (or plugin) to display editable combobox? I have a set of options, but I would like to give possibility to enter custom value.
I've searched the documentation, and I can't find way to do this. I made workaround with javascript, but I'm looking for more elegant solution.
I'm pretty sure that there simply is no HTML form element that does this, and so Rails can't provide you with a helper. As you said, you can work with JS to create something similar (and there should be JS libraries/plugins already out there), or you could just use a select element and add a text field next to it for new values.
HTML5 specification doesn't define such an element. So you may either continue using JS, either try to use autocomplete feature of an input element (although it is not exactly what you want and doesn't compatible with old browsers).
Anyone who's done anything much with PHP and receiving rich-text input from something like TinyMCE has (probably) used something like HTMLPurifier to keep the nasties out of the HTML you're intentionally allowing the user to submit.
For example, HTMLPurifier will take a string of (potentially malformed) HTML and strip out disallowed elements and attributes, try to fix broken HTML, and in some cases convert things like <i> to <em>.
Does anything equivalent exist for Rails (3)? What's the generally accepted way to sanitize input from rich text editors in Rails so that you can output the unescaped HTML onto a web page and know that stuff like <style> and <script> tags have been taken out of it and it's not going to break your page (or steal your cookies!)?
EDIT | Anybody used Sanitize? Any other options with pro's & con's?
You can use the sanitize method.
sanitize(html)
There is also a Sanitize gem.
Sanitize.clean(html)
I tend to prefer the Sanitize gem because it can be used as a before_save filter in your models instead of having to use the sanitize method in each of your views.
I am using FckEditor in Create.aspx page in asp.net mvc application.
Since I need to show rich text in web pages, I used ValidateInput(false) attribute top of action method in controller class.
And I used Html.Encode(Model.Message) in Details.aspx to protect user's attack.
But, I had result what I did not want as following :
<p> Hello </p>
I wanted following result not above :
Hello
How can I show the text what user input?
Thanks in advance
The short answer is that HTMLEncode is making your markup show like that. If you don't HTMLEncode, it will do what you want.
You need to think about whether or not you need full control of markup, who is entering the markup, and if an alternative like BBCode is an option.
If your users using the editor are all sure to be 'safe' users, then XSS isn't likely to be as much a concern. However, if you are using this on a comment field, then BBCode, or something like SO itself uses is more appropriate.
You wont be able to use a WYSIWYG editor and do HTMLEncode though... (without BBCode, or some other token system)
It seems the user entered "<p> Hello </p>" (due to pressing Enter?) into the edit control, and it is displaying correct in the HTML as you have done an Html.Encode. E.g. the paragrahs are not rendered, they are outputted as "<p>..</p>" as the string is HTML encoded into something like "<p> Hello <p>".
If you do not want tags, I would suggest searching the text string for tags (things with <...>) and removing them from the inputted text. Do this before HTML.Encode.
...or am I missing something?
You can use HttpServerUtility.HtmlEncode(String)