I'm trying to figure out the right way to display comments such that newlines and links are displayed. I know that usually, you should display user-inputs only when escaping html with h(). That of course won't display newlines or links, so I found the simple_format and auto_link methods.
What I am now doing is: simple_format(santize(auto_link(comment.text)))
Is this the right way to do this, and is it still safe from XSS attacks?
Thanks!
Eric
Have a look to the last ryanb screencast XSS Protection in Rails 3
Cheers
Related
I have difficulty getting a value from a text area of the CKEditor
when I save something that has nothing inside the textarea HTML tag. In this case, it puts this text inside:
<html>\r\n\t<head>\r\n\t\t<title></title>\r\n\t</head>\r\n\t<body>\r\n\t</body>\r\n</html>\r\n"
Is there some way to strip off all these html tags?
I'm using MVC 3, and I've researched something about: Content(Server.HtmlEncode),
but I'm still not 100% if this is the best way to do this kind of treatment.
I found a class listed below that looks like it should solve your problem. Just add it to your solution and you can then call it statically and strip the html.
This kind of assumes that you are wanting to do the stripping of html on the server side.
On a side note not accepting answers like you are doing is hazardous to people willingness to help...I'd recommend that you reward the people that are helping you if you'd like to continue getting help!
Link to Solution
#Html.DisplayTextFor(modelItem => item.content)
I am having trouble in using tinymce editor with rails 3. I want to show text in bold letters and having trouble using tags like when I write something in p tags It should go to next paragraphs. in my case this tags is not working. It remains on same lines and display p tags on site page.
The usual suspect when it comes to rails 3 printing raw html output to the site, is that someone forgot to call html_safe on whatever text should be printed.
So if you have a #my_model_instance.description that you edit with tinymce, you might want to make the view look like #my_model_instance.description.html_safe, or as they suggest in the comment on the documentation, raw(#my_model_instance.description).
If the text is coming from user input, however, you might want to be a bit cautious, since it might be possible for users to input all sorts of nasty injection hacks this way.
I need to embed links in my translated texts. I followed this post, but it doesn't seem to work in rails 3 anymore as the html tags don't get rendered properly.
Anyone knows how to get this done in rails 3?
Update:
Apparently, the html tags can be escaped by using the html_safe method. But does anyone know if there's another way to solve this problem without using html_safe?
I would like to avoid unescaping my html tags if possible, b/c I've encountered a situation where I have to pass in a text field into my translation, and I would like to avoid unescaping any strings that are user inputted.
Change {{url}} to %{url} and you should be good to go.
Update
Ok, thanks, that's important information about what "doesn't work" means :) So, you need to call the html_safe method on your call to link_to, eg.
link_to(t("log_in_href"), login_path).html_safe
This will tell Rails to render the HTML, not escaped.
on mysite I have the ability to add comments. Sometimes users enter comments will links (href. ...)
I would like to have those links to be clickable/linkable (a href) when the comment is displayed to users.
how with Rails 3 can I take a comment, and look for links and then wrap those links in an a href tag that opens in a new window?
Thanks
The simplest way is to use the auto_link method built into rails.
Note: In Rails 3.1 auto_link has been moved into a separate gem.
idlefinger's suggestion of #auto_link is perfect. I know it's not the question you originally posed, but wanted to suggest: also check out #simple_format, which will nicely format your users' use of newlines into br and p tags.
I forgotten the name of this library. But it's sort of like Wiki how you type certain characters in front of your text, and then it'll make the text bold/italic/underline.
I'm not asking for the way Wiki is formatted but I'm aware there is something similar built into Rails. It's at the tip of my tongue. Thanks.
Are you looking for the textilize view helper? In your view, just say:
<%= textilize( post.body_text ) %>
Many of these are implemented in Ruby:
Comparison of lightweight markup languages
I like Markdown, through RDiscount.
RedCloth does this. It gives you textile markup (which is among the markup languages listed in Daniel's answer).
http://redcloth.org/