Forum: Ruby on Rails Textile/RedCloth and h() incompatible?

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Ae03102311939454d2b7f1ca3139fd97?d=identicon&s=25 Lindsay Boyd (Guest)
on 2006-05-11 17:19
If a user enters the Textile-based code for an image, say:

!>graphic.png!

the textile() method will successfully render a right-float image. Now,
if I want to escape the user's text using h(), the '>' is turned into an
&. Obviously, the image then fails to render in a browser. Is there
a work around for this?

I guess what I'm really asking is: is there a way to allow the user to
have limited ability to embed HTML in a view, and can Textile still be
used as a friendly way to encode the HTML?

-Lindsay
19c9af375aca3001e3978cb16684803c?d=identicon&s=25 Parker Thompson (Guest)
on 2006-05-11 20:18
(Received via mailing list)
i believe redcloth will sanitize for you (if i recall correctly) so
you don't need h().  You may have to pass a flag, but the source
should make it clear.

pt.

pt.

On 5/11/06, Lindsay Boyd <lindsay.boyd@ntlworld.com> wrote:
> have limited ability to embed HTML in a view, and can Textile still be
>
--
Parker Thompson
http://www.parkert.com/
510.541.0125
Ae03102311939454d2b7f1ca3139fd97?d=identicon&s=25 Lindsay Boyd (Guest)
on 2006-05-11 21:00
Parker Thompson wrote:
> i believe redcloth will sanitize for you

Thanks for the heads up! I'll check the source.
0a36dd2d45a8cead5dcfd27a9346f620?d=identicon&s=25 Mohammad (Guest)
on 2006-05-11 22:58
can you do this?
mytext = "<%= @user.find(3)" #someone's string trying to hack you.
mytext =  h("mytext") #not sure if thats how you call it in controller
or if you can
mytext = Redcloth.new mytext
mytext = mytext.to_html
This topic is locked and can not be replied to.