Textile/RedCloth and h() incompatible?

If a user enters the Textile-based code for an image, say:

!>graphic.png!

the textile() method will successfully render a right-float image. Now,
if I want to escape the user’s text using h(), the ‘>’ is turned into an
&. Obviously, the image then fails to render in a browser. Is there
a work around for this?

I guess what I’m really asking is: is there a way to allow the user to
have limited ability to embed HTML in a view, and can Textile still be
used as a friendly way to encode the HTML?

-Lindsay

i believe redcloth will sanitize for you (if i recall correctly) so
you don’t need h(). You may have to pass a flag, but the source
should make it clear.

pt.

pt.

On 5/11/06, Lindsay B. [email protected] wrote:

have limited ability to embed HTML in a view, and can Textile still be


Parker T.
http://www.parkert.com/
510.541.0125

Parker T. wrote:

i believe redcloth will sanitize for you

Thanks for the heads up! I’ll check the source.

can you do this?
mytext = “<%= @user.find(3)” #someone’s string trying to hack you.
mytext = h(“mytext”) #not sure if thats how you call it in controller
or if you can
mytext = Redcloth.new mytext
mytext = mytext.to_html

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs