Rich text aera?


#1

Hi all,

I am trying to add an article editing interface to my future webstore,
and I am wondering what to use for text formatting.

I would like to avoid using HTML, and calibre-bbcode just won’t work
(see my last post).

Is there some kind of library for live text formatting right in the
browser? I would just need bold, italics, size and ul lists… Do you
know of a good solution?

Thank you very much
Nauhaie


#2

In fact, what I would like is a ROR equivalent for
http://www.kevinroth.com/rte/demo.php

Thank you!
Nauhaie


#3

User TinyMCE.

I’ve implemented it with a helper function in most of my applications:

  1. Download TinyMCE from the the website and stick the .js files in the
    javascript directoy.
  2. Include this in your application_helper.rb

TinyMCE Helpers

def javascript_include_tinymce
javascript_include_tag “tiny_mce/tiny_mce”
end
def include_tiny_mce

"#{javascript_include_tinymce}"+
 '<script language="javascript" type="text/javascript">
  tinyMCE.init({
    mode : "textareas",
    theme : "advanced",
        plugins : 

“advhr,advimage,advlink,preview,searchreplace,print”,
theme_advanced_buttons2_add :
"separator,insertdate,inserttime,prev
theme_advanced_buttons3_add_before :
“tablecontrols,separator”,
theme_advanced_toolbar_location : “top”,
theme_advanced_toolbar_align : “left”,
theme_advanced_path_location : “bottom”,
plugin_insertdate_dateFormat : “%Y-%m-%d”,
plugin_insertdate_timeFormat : “%H:%M:%S”,
extended_valid_elements :
"a[name|href|target|title|onclick],img[cl
external_link_list_url :
“example_data/example_link_list.js”,
external_image_list_url :
“example_data/example_image_list.js”,
flash_external_list_url :
“example_data/example_flash_list.js”
});

end
3) Use “include_tiny_mce” function in your .rhtml file, and bam.

You can change the functionallity on the TinyMCE by changing
“theme_advanced” properties in the helper above.

Chris

Nauhaie wrote:

In fact, what I would like is a ROR equivalent for
http://www.kevinroth.com/rte/demo.php

Thank you!
Nauhaie


#4

It’s your application’s job to ensure form data is sanitized before
anything important is done with it. Even if TinyMCE or something like it
returned scrubbed HTML, it can’t do anything to stop a malicious user
from bypassing your form and passing bad data to your app.

This is not a Rails thing. It’s a basic rule of web development.

Nauhaie wrote:

Wow, that’s cool!

I am going to use this I think! Thanks a lot!

One more question: is tinyMCE safe for letting users post comments? I
mean, is the output correctly cleared of cross-site-scripting
vulnerabilities?

Nauhaie


#5

Wow, that’s cool!

I am going to use this I think! Thanks a lot!

One more question: is tinyMCE safe for letting users post comments? I
mean, is the output correctly cleared of cross-site-scripting
vulnerabilities?

Nauhaie


#6

Steve K. wrote:

It’s your application’s job to ensure form data is sanitized before
anything important is done with it. Even if TinyMCE or something like it
returned scrubbed HTML, it can’t do anything to stop a malicious user
from bypassing your form and passing bad data to your app.

So, correct me if I am wrong: for it is almost impossible to sanitize
HTML, I think I had better use Textile or Markdown for user reviews, and
restrict TinyMCE for the body of the articles (modified by trusted
admins)…

Thank you for your help!


#7

Textile and Markdown pertain to output. TinyMCE is an inline editor that
pertains to input. In general, it is no more or less safe than a regular
textarea. Use whatever you want, but just make sure that when you output
user-supplied HTML to the browser that it has been cleaned at some
point. Look at the sanitize() method in Rails.

Plenty of web applications use inline WYSIWYG HTML editors safely. You
just have to make sure that yours does, too.

Nauhaie wrote:

Steve K. wrote:

It’s your application’s job to ensure form data is sanitized before
anything important is done with it. Even if TinyMCE or something like it
returned scrubbed HTML, it can’t do anything to stop a malicious user
from bypassing your form and passing bad data to your app.

So, correct me if I am wrong: for it is almost impossible to sanitize
HTML, I think I had better use Textile or Markdown for user reviews, and
restrict TinyMCE for the body of the articles (modified by trusted
admins)…

Thank you for your help!


#8

rails do have a sanitize(html) helper which “should” do the trick … i
haven’t used it but if it works as advertized you could just use that to
sanitize anything comming from untrusted users.

see
http://rubyonrails.com/rails/classes/ActionView/Helpers/TextHelper.html#M000516