Reputation: 2940
Rails 3 HTML escaping and WYSIWYG Editor - html showing in view
I've read http://yehudakatz.com/2010/02/01/safebuffers-and-rails-3-0/ and http://asciicasts.com/episodes/204-xss-protection-in-rails-3 and i'm pretty confused. I've tried the solution in asciicasts about escaping and then typing content as html_safe. I'm not sure what I'm doing wrong.
I'm using a WYSIWYG editor that updates a Post with Content.
def create
@post = Post.new(params[:post])
respond_to do |format|
if @post.save
format.html { redirect_to(@post, :notice => 'Post was successfully created.') }
else
format.html { render :action => "new" }
end
end
end
VERY out of the box. Now, when I enter some content, i.e. "<p>hello, world</p>", that exact string appears in my view (I'm using a partial, fwiw).
<%= scrub post.content %>
where my application_helper.rb file has this method:
def scrub(content)
"<strong>#{h(content)}</strong>".html_safe
end
when I throw in "<script>mal</script>", it escapes the script. Why is the HTML showing up on the view? Here's what it looks like in the view:
<p>hello, world <script>mal</script></p>
Can anyone point me in the right direction? I want to allow users to do simple content formatting where the site will display rendered HTML (like this site), but keep myself safe from scripts.
Upvotes: 1
Views: 1583
Answers (2)
Reputation: 585
Try putting .html_safe at the end of it. I found this answer when I was looking for a solution for myself. (sorry, I realized this was an old question. but for others)
Rails 4 WYSIWYG Bootsy not displaying formatting
Upvotes: 1
Related Questions
- WYSIWYG displaying as HTML in view - Ruby on Rails
- How do I prevent my HTML tags from getting escaped?
- Render escaped html in Rails
- Don't escape html in ruby on rails
- Forcing HTML Escaping in Rails 3
- Rails 3: Escape string in the view but not all
- Rails HTML escaping
- Strange behavior with html_escape
- HTML escaped in Rails 3
- Rails: html_escape isn't working