Hi, i was trying something to upload using an area text which the data
will be shown as html using the sanitize method.
Everything ok, about scripts, but when i tried it
escaped the <
Why this? Is it a bug of sanitize? I knew that an html comment it’s just
a comment, so why escape it? And if it isn’t a bug, is it possible to
don’t escape the < ? Or is it safer to escape it? why?
Thanks
Mix M. wrote:
Hi, i was trying something to upload using an area text which the data
will be shown as html using the sanitize method.
Everything ok, about scripts, but when i tried it
escaped the <
Why this? Is it a bug of sanitize? I knew that an html comment it’s just
a comment, so why escape it? And if it isn’t a bug, is it possible to
don’t escape the < ? Or is it safer to escape it? why?
sanitize doesn’t know about HTML semantics or tags. It just knows about
HTML characters, and so it happily goes about encoding your lesser-than
sign.
It’s proper behavior too, because you generally don’t want people to
embed hidden HTML. You want to output everything they put into that
textarea.
–
Roderick van Domburg
http://www.nedforce.com
Roderick van Domburg wrote:
sanitize doesn’t know about HTML semantics or tags. It just knows about
HTML characters, and so it happily goes about encoding your lesser-than
sign.It’s proper behavior too, because you generally don’t want people to
embed hidden HTML. You want to output everything they put into that
textarea.–
Roderick van Domburg
http://www.nedforce.com
Mmm…ok, and what if i want to hide that comments? Is it possible to
add to sanitize the rule to skip them?
In the api there is this: You can modify what gets sanitized by defining
VERBOTEN_TAGS and VERBOTEN_ATTRS before this Module is loaded.
And nothing else…
Mix M. wrote:
Roderick van Domburg wrote:
sanitize doesn’t know about HTML semantics or tags. It just knows about
HTML characters, and so it happily goes about encoding your lesser-than
sign.It’s proper behavior too, because you generally don’t want people to
embed hidden HTML. You want to output everything they put into that
textarea.Mmm…ok, and what if i want to hide that comments? Is it possible to
add to sanitize the rule to skip them?
In the api there is this: You can modify what gets sanitized by defining
VERBOTEN_TAGS and VERBOTEN_ATTRS before this Module is loaded.
And nothing else…
No, sanitize can’t do that for you. You’d need to write a custom
sanitizer, splitting the input, keeping your comments, and sanitizing
the rest possibly using Rails’ default sanitizer.
–
Roderick van Domburg
http://www.nedforce.com
Roderick van Domburg wrote:
No, sanitize can’t do that for you. You’d need to write a custom
sanitizer, splitting the input, keeping your comments, and sanitizing
the rest possibly using Rails’ default sanitizer.–
Roderick van Domburg
http://www.nedforce.com
mmm… ok, so i think that it’s better to do something directly in the
model like
def before_save
self.text = self.text.gbus(//, ‘’)
end
it should work… 