Stack Overflow
Stack Overflow

Questions tagged [html-safe]

75 questions
1
vote
1 answer

Rails 3: Permitting Users to Use Basic HTML Tags

Throughout my site, users can leave comments. I want them to be able to insert basic HTML in their comments, including bold, italic, and link tags. Unfortunately, Rails automatically escapes all user-generated HTML. I can bypass this behavior by…
nullnullnull
  • 8,039
  • 12
  • 55
  • 107
1
vote
1 answer

Better way than ''.html_safe when building html string in Rails?

Typical pattern: out = ''.html_safe # or ActiveSupport::SafeBuffer.new out << content_tag(...) if foo out << 'hello, 1 < 2' # will be escaped properly out << content_tag(...) if bar out This works fine. Is there a nicer / shorter / better way than…
Marc-André Lafortune
  • 78,216
  • 16
  • 166
  • 166
0
votes
1 answer

FCKEditor with Rails Security Vulnerability

I am using FCKEditor in my Ruby on Rails Application. Users add blog posts using FCKEditor. Then I display blog posts using @blog.body.html_safe I know FCKEditor is escaping any javascript code but what if a user posted a request with direct…
Mahmoud Khaled
  • 6,226
  • 6
  • 37
  • 42
0
votes
2 answers

undefined method `html_safe' for # using recaptcha

I'm getting this error on the line where I call recaptcha_tags <%= recaptcha_tags( :public_key => 'XXXXXXYYYYYYYZZZ-ZXYXXZYZ' , :display=>{:theme=>"white" }) %> I'm working with rails 2.3.10 how can I solve this error? many thanks.
Mr_Nizzle
  • 6,644
  • 12
  • 55
  • 85
0
votes
2 answers

How to only make links html safe and ignore other html tags in Rails

I have a requirement where I need to make links clickable in text while keeping any other html tags as text (not html_safe). This means I cannot make the entire text html_safe as that will render the other html tags and I cannot sanitize the text…
TenJack
  • 1,594
  • 4
  • 21
  • 35
0
votes
1 answer

HTML Safe JSON generation with Ruby only

I need to embed a JSON object into an HTML data attribute. Using the Ruby to_json RubyArrayOfHashes.to_json generates a proper JSON string, but it is not escaped. So I get this in my HTML: data-track="[{"source_id":7}]" The above is not valid due…
fnllc
  • 3,047
  • 4
  • 25
  • 42
0
votes
1 answer

How to escape javascript-generated html in Rails?

On one side of my page, I have a very simple email form. On the other side I have a preview of the proposed email. For example: As the user completes the fields, I'd like to update the preview on keyup. I wrote a little js function to do just…
Cory Schires
  • 2,146
  • 2
  • 14
  • 26
0
votes
2 answers

Inline styling in Rails 4 erb

So I am stuck with a small issue while migrating a legacy project from Rails 3.2 to 4.2 Inside one of our views (erb), the code (Rails 3.2) html_safe(truncate(job_profile.description + '  [ ' + list.join(', ') +'…
Akash Srivastava
  • 151
  • 1
  • 10
0
votes
0 answers

ActiveSupport::SafeBuffer not rendered in view?

Very simple question really, but it's driving me nuts. I have this method call in a Rails view: <%= get_image(@document) %> The method in here returns an object of type ActiveSupport::SafeBuffer. If I call .to_str on it in a console, I see the…
bitops
  • 4,022
  • 3
  • 26
  • 31
0
votes
3 answers

html_safe is not working in rails to javascript

I have an array of strings declared in my controller that I need to use in a js file. Here is my code: #controller @cars = current_user.cars.completed.collect{|c| c.name.titleize } puts "#{@cars.inspect}" The puts returns: ["Presentation 2",…
Philip7899
  • 4,599
  • 4
  • 55
  • 114
0
votes
2 answers

How to use html_safe in a secure manner?

I was wondering when it is safe to use html_safe and when not. I read that you don't want to do this if the code may contain user content. What does this mean in practice? flash[:danger]="Dear #{@user.username}
please take a look…
Marty
  • 2,132
  • 4
  • 21
  • 47
0
votes
1 answer

How to permit
with text?

How can we give the user the ability to break-lines here? <%= f.text_area :name, rows: 4, class: 'form-control', id: "gold-standard", placeholder: 'Enter Value' %> Ideally only
would work out of the html elements, but worst case how can we…
AnthonyGalli.com
  • 2,796
  • 5
  • 31
  • 80
0
votes
1 answer

html_safe not working with rails

I can't manage to make it work... even using raw or html_safe view <%= button_to(glyphicon('heart', 'I love it !'), some_path, class: "btn btn-success")%> helper def glyphicon(glyph, text = nil) html = "
Cyril Duchon-Doris
  • 12,964
  • 9
  • 77
  • 164
0
votes
1 answer

Rail simple_form label_method with html

what i am making a select where you can choose an icon that comes from font-awesome. At the hearing I do it this way, but does not work ... only shows options blank. Without html_safe tag created hile shown but logically is text only. The raw method…
austin
  • 5
  • 2
0
votes
1 answer

Rails 4 Formtastic action label escaping

Does anyone know how to add a glyphicon to a formtastic submit button label? It seems that no matter what I do, the string is always escaped The current snippet I have is: <%= f.action :submit, label: "
Dan Klassen
  • 116
  • 1
  • 6
1 2 3
4
5