Forum: Ruby on Rails HTML in db columns

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
6d465bb8df6bda89904c7aafea0dda6c?d=identicon&s=25 Don French (Guest)
on 2008-12-14 03:40
(Received via mailing list)
I have some text columns where I would like many of the html commands
available. I can insert tags in the field with no problem and it stays
there. When I try to use the data like <%= @item.description %> I
loose several of the tags. They do not work. Particularly the <ul>
<ol> <li> tags. The <b> <i> tags work along with font and color.

Are they being filtered out automatically?

I am on rails 2.2.2.

What do I need to do to get a column to display in the format
specified.  Ultimately I want to use one of the wysiwyg editors on the
site, but If I can not get the output to display, it is of no use

Thank you

Don French
Aafa8848c4b764f080b1b31a51eab73d?d=identicon&s=25 Phlip (Guest)
on 2008-12-14 03:47
(Received via mailing list)
Don French wrote:

> I have some text columns where I would like many of the html commands
> available. I can insert tags in the field with no problem and it stays
> there. When I try to use the data like <%= @item.description %> I
> loose several of the tags. They do not work. Particularly the <ul>
> <ol> <li> tags. The <b> <i> tags work along with font and color.
>
> Are they being filtered out automatically?

Not at all - if you put raw text in you should get raw text out.
(Probably UTF-8...)

How long is your description field? If it's not a TEXT blob, it might
truncate
at 255.

What do your unit tests say about the description field, and the view it
constructs?

> What do I need to do to get a column to display in the format
> specified.  Ultimately I want to use one of the wysiwyg editors on the
> site, but If I can not get the output to display, it is of no use

We do it all the time.

But just today I could not get a <li> to display its freaking
list-style-type:
disc for anything. Both Firefox and IE caught the bug. Maybe it's a
lunar phase
thing, and you caught it too!

--
   Phlip
6d465bb8df6bda89904c7aafea0dda6c?d=identicon&s=25 Don French (Guest)
on 2008-12-15 14:45
(Received via mailing list)
The column is a text type. I get <b> <i> but not <ol><li> The bullets
are just left out.
Bee69cfed999cd13e3bff73d472a39ee?d=identicon&s=25 Hassan Schroeder (Guest)
on 2008-12-15 16:48
(Received via mailing list)
On Mon, Dec 15, 2008 at 5:45 AM, Don French <dhf0820@gmail.com> wrote:
>
> The column is a text type. I get <b> <i> but not <ol><li> The bullets
> are just left out.

"bullets" are a visual attribute of OL/LI defined by the page's CSS; are
you sure your style sheet isn't overriding the default browser view, or
causing the bullets to be hidden by another element?

OTOH, if you can't see the OL/LIs in a page via `view source` I think
you'll need to post some code.

--
Hassan Schroeder ------------------------ hassan.schroeder@gmail.com
280b78a61a968391b7e07e912be102a8?d=identicon&s=25 Robert Walker (robert4723)
on 2008-12-15 18:40
>> The column is a text type. I get <b> <i> but not <ol><li> The bullets
>> are just left out.
It sounds to me like your HTML is getting sanitized somewhere, which is
actually a really good thing. Allowing raw HTML to be passed though from
an input (textfield, textarea, etc.) and then displayed without being
sanitized can lead to all sort of security problems.

My recommendation would be to look into supporting Textile/Markdown in
your input textarea and make sure you are properly sanitizing your HTML.
Otherwise, you may leave yourself open to cross-site scripting or SQL
injection attacks.
This topic is locked and can not be replied to.