Forum: Ruby on Rails Rich text aera?

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Ecf21acef6f0e0d734051c7392207d2f?d=identicon&s=25 Nauhaie (Guest)
on 2006-04-30 22:21
Hi all,

I am trying to add an article editing interface to my future webstore,
and I am wondering what to use for text formatting.

I would like to avoid using HTML, and calibre-bbcode just won't work
(see my last post).

Is there some kind of library for live text formatting right in the
browser? I would just need bold, italics, size and ul lists... Do you
know of a good solution?

Thank you very much
Nauhaie
Ecf21acef6f0e0d734051c7392207d2f?d=identicon&s=25 Nauhaie (Guest)
on 2006-04-30 22:44
In fact, what I would like is a ROR equivalent for
http://www.kevinroth.com/rte/demo.php

Thank you!
Nauhaie
4ae3c0b56fcf66f8383ecb73cc8d956e?d=identicon&s=25 Christopher Winslett (Guest)
on 2006-04-30 22:57
User TinyMCE.

I've implemented it with a helper function in most of my applications:

1) Download TinyMCE from the the website and stick the .js files in the
javascript directoy.
2) Include this in your application_helper.rb

  #
  # TinyMCE Helpers
  #
  def javascript_include_tinymce
    javascript_include_tag "tiny_mce/tiny_mce"
  end
  def include_tiny_mce

    "#{javascript_include_tinymce}"+
     '<script language="javascript" type="text/javascript">
      tinyMCE.init({
        mode : "textareas",
        theme : "advanced",
            plugins :
"advhr,advimage,advlink,preview,searchreplace,print",
            theme_advanced_buttons2_add :
"separator,insertdate,inserttime,prev
            theme_advanced_buttons3_add_before :
"tablecontrols,separator",
            theme_advanced_toolbar_location : "top",
            theme_advanced_toolbar_align : "left",
            theme_advanced_path_location : "bottom",
            plugin_insertdate_dateFormat : "%Y-%m-%d",
            plugin_insertdate_timeFormat : "%H:%M:%S",
            extended_valid_elements :
"a[name|href|target|title|onclick],img[cl
            external_link_list_url :
"example_data/example_link_list.js",
            external_image_list_url :
"example_data/example_image_list.js",
            flash_external_list_url :
"example_data/example_flash_list.js"
    });
    </script>'
  end
3) Use "include_tiny_mce" function in your .rhtml file, and bam.

You can change the functionallity on the TinyMCE by changing
"theme_advanced" properties in the helper above.

Chris

Nauhaie wrote:
> In fact, what I would like is a ROR equivalent for
> http://www.kevinroth.com/rte/demo.php
>
> Thank you!
> Nauhaie
Ecf21acef6f0e0d734051c7392207d2f?d=identicon&s=25 Nauhaie (Guest)
on 2006-04-30 23:28
Wow, that's cool!

I am going to use this I think! Thanks a lot!

One more question: is tinyMCE safe for letting users post comments? I
mean, is the output correctly cleared of cross-site-scripting
vulnerabilities?

Nauhaie
34f5b045aec62235c17458650ea75353?d=identicon&s=25 Steve Koppelman (hatless)
on 2006-05-01 00:33
It's your application's job to ensure form data is sanitized before
anything important is done with it. Even if TinyMCE or something like it
returned scrubbed HTML, it can't do anything to stop a malicious user
from bypassing your form and passing bad data to your app.

This is not a Rails thing. It's a basic rule of web development.

Nauhaie wrote:
> Wow, that's cool!
>
> I am going to use this I think! Thanks a lot!
>
> One more question: is tinyMCE safe for letting users post comments? I
> mean, is the output correctly cleared of cross-site-scripting
> vulnerabilities?
>
> Nauhaie
Ecf21acef6f0e0d734051c7392207d2f?d=identicon&s=25 Nauhaie (Guest)
on 2006-05-01 07:09
Steve Koppelman wrote:
> It's your application's job to ensure form data is sanitized before
> anything important is done with it. Even if TinyMCE or something like it
> returned scrubbed HTML, it can't do anything to stop a malicious user
> from bypassing your form and passing bad data to your app.

So, correct me if I am wrong: for it is almost impossible to sanitize
HTML, I think I had better use Textile or Markdown for user reviews, and
restrict TinyMCE for the body of the articles (modified by trusted
admins)...

Thank you for your help!
34f5b045aec62235c17458650ea75353?d=identicon&s=25 Steve Koppelman (hatless)
on 2006-05-01 12:55
Textile and Markdown pertain to output. TinyMCE is an inline editor that
pertains to input. In general, it is no more or less safe than a regular
textarea. Use whatever you want, but just make sure that when you output
user-supplied HTML to the browser that it has been cleaned at some
point. Look at the sanitize() method in Rails.

Plenty of web applications use inline WYSIWYG HTML editors safely. You
just have to make sure that yours does, too.

Nauhaie wrote:
> Steve Koppelman wrote:
>> It's your application's job to ensure form data is sanitized before
>> anything important is done with it. Even if TinyMCE or something like it
>> returned scrubbed HTML, it can't do anything to stop a malicious user
>> from bypassing your form and passing bad data to your app.
>
> So, correct me if I am wrong: for it is almost impossible to sanitize
> HTML, I think I had better use Textile or Markdown for user reviews, and
> restrict TinyMCE for the body of the articles (modified by trusted
> admins)...
>
> Thank you for your help!
5dad93417a7379a2343583d083335912?d=identicon&s=25 Brian Ã?gren (Guest)
on 2006-05-03 18:57
(Received via mailing list)
rails do have a sanitize(html) helper which "should" do the trick .. i
haven't used it but if it works as advertized you could just use that to
sanitize anything comming from untrusted users.

see
http://rubyonrails.com/rails/classes/ActionView/He...
This topic is locked and can not be replied to.