If a user enters the Textile-based code for an image, say: !>graphic.png! the textile() method will successfully render a right-float image. Now, if I want to escape the user's text using h(), the '>' is turned into an &. Obviously, the image then fails to render in a browser. Is there a work around for this? I guess what I'm really asking is: is there a way to allow the user to have limited ability to embed HTML in a view, and can Textile still be used as a friendly way to encode the HTML? -Lindsay
on 2006-05-11 17:19
on 2006-05-11 20:18
i believe redcloth will sanitize for you (if i recall correctly) so you don't need h(). You may have to pass a flag, but the source should make it clear. pt. pt. On 5/11/06, Lindsay Boyd <email@example.com> wrote: > have limited ability to embed HTML in a view, and can Textile still be > -- Parker Thompson http://www.parkert.com/ 510.541.0125
on 2006-05-11 21:00
Parker Thompson wrote: > i believe redcloth will sanitize for you Thanks for the heads up! I'll check the source.
on 2006-05-11 22:58
can you do this? mytext = "<%= @user.find(3)" #someone's string trying to hack you. mytext = h("mytext") #not sure if thats how you call it in controller or if you can mytext = Redcloth.new mytext mytext = mytext.to_html