Textile/RedCloth and h() incompatible?


#1

If a user enters the Textile-based code for an image, say:

!>graphic.png!

the textile() method will successfully render a right-float image. Now,
if I want to escape the user’s text using h(), the ‘>’ is turned into an
&. Obviously, the image then fails to render in a browser. Is there
a work around for this?

I guess what I’m really asking is: is there a way to allow the user to
have limited ability to embed HTML in a view, and can Textile still be
used as a friendly way to encode the HTML?

-Lindsay


#2

i believe redcloth will sanitize for you (if i recall correctly) so
you don’t need h(). You may have to pass a flag, but the source
should make it clear.

pt.

pt.

On 5/11/06, Lindsay B. removed_email_address@domain.invalid wrote:

have limited ability to embed HTML in a view, and can Textile still be


Parker T.
http://www.parkert.com/
510.541.0125


#3

Parker T. wrote:

i believe redcloth will sanitize for you

Thanks for the heads up! I’ll check the source.


#4

can you do this?
mytext = “<%= @user.find(3)” #someone’s string trying to hack you.
mytext = h(“mytext”) #not sure if thats how you call it in controller
or if you can
mytext = Redcloth.new mytext
mytext = mytext.to_html