If a user enters the Textile-based code for an image, say:
!>graphic.png!
the textile() method will successfully render a right-float image. Now,
if I want to escape the user’s text using h(), the ‘>’ is turned into an
&. Obviously, the image then fails to render in a browser. Is there
a work around for this?
I guess what I’m really asking is: is there a way to allow the user to
have limited ability to embed HTML in a view, and can Textile still be
used as a friendly way to encode the HTML?
-Lindsay
i believe redcloth will sanitize for you (if i recall correctly) so
you don’t need h(). You may have to pass a flag, but the source
should make it clear.
pt.
pt.
On 5/11/06, Lindsay B. [email protected] wrote:
have limited ability to embed HTML in a view, and can Textile still be
–
Parker T.
http://www.parkert.com/
510.541.0125
Parker T. wrote:
i believe redcloth will sanitize for you
Thanks for the heads up! I’ll check the source.
can you do this?
mytext = “<%= @user.find(3)” #someone’s string trying to hack you.
mytext = h(“mytext”) #not sure if thats how you call it in controller
or if you can
mytext = Redcloth.new mytext
mytext = mytext.to_html