I have some simple erb code in one of my views in a rails project.
<%= comment.body %>
I'd like the html tags in the comment.body to be preserved as they have formatting information. I've verified that the text is saved in the database properly like
<b>hello</b>
However it turns out on the page to be <b>hello</b> not hello as I expect.
How could this be? I'm not using <%= h to escape the html code.
How do I make it not escaping? I'm using rails 3. Does this matter?
You can also use sanitize.
<%= sanitize(comment.body) %>
sanitize will leave html code but escape javascript.
Rails 3 now automatically escapes your output.
To unescape the text and use the actual tags, use raw(...):
<%= raw(comment.body) %>
However, be careful with this, as it will allow any tags, including scripts (potentially malicious). A safer option might be to have users use markdown-formatted text or something similar, rather than allowing raw HTML tags.
Related
I have a file, let's say index.ejs which I render using express this way:
res.render('index.ejs', {
projectName: req.params.name
}
Inside this ejs file, I include another file, let's say base.ejs.
I'm trying to pass the variable projectName to base.ejs.
I have tried the following approaches:
<%- include("path/to/base.ejs", {projectName: projectName})" %>
<%- include("path/to/base.ejs", {projectName: <%=projectName%>})" %>
<%- include("path/to/base.ejs", {projectName: '<%=projectName%>'})" %>
None of them seem to work.
This is a similar answer I found how to include a template with parameters in EJS? but it doesn't seem to solve my problem.
You don't actually need to pass the variable to the include statement as you have been doing, just use the variable in your base.ejs file as follows
<%= projectName %>
When using the include statement you can simply declare
<% include path/to/base %>
I have been trying <br> tag in haml, very unfortunately none of my code are working. How should we use nest for <br> in haml ?
%h1 Helo mate
%br/
whrere are you ?
Your example (%br/) already seems to be correct.
Whether you get a selfclosing tag (<br />) or a standalone tag (<br>) depends on whether your code is interpreted as html or as xhtml, so check which format you need. Xhtml has problems with non-closing tags.
Look here for more info.
Edit: Adding the info from matt's comment. The problem is not the br tag, but the content of the h1 tag being on the same line as the tag as well as on the next line, while the whole content should be nested when the content is more than one line:
%h1
Hello mate
%br/
where are you?
%h1
Hello mate
%br where are you
I have a textarea which is has Markdown support and I would like to show a placeholder to show what sort of formatting Markdown likes but putting <br /> in the placeholder shows <br /> in the text. I would prefer it to make a new line if this is possible.
I am using Rails 3, below is the code I am using:
<%= f.text_area :info, :placeholder => "if you want you can <br /> add a link by doing this: [text](http://link.com) it's pretty neat aye? or you could use bold by doing this: **bold text is cool**" %>
According to the specification, the placeholder attribute can't contain any line breaks or carriage returns.
As Logan says, though you can find some hacks in the similar question here:
Can you have multiline HTML5 placeholder text in a <textarea>?
Here are some more related hacks to multiline placeholders, I followed the example in the answer below to do my workaround:
Insert line break inside placeholder attribute of a textarea?
For rails, I thought this was useful if you want a gem to deal with placeholders:
jquery-placeholder-rails.
However, you'll need the forked version of jQuery-placeholder that supports newline: jQuery-Placeholder-Newlines
I am trying to store content of tinyMCE into "detail" coloumn.
Now when I display the content it displays wit all the <p> tags <i> tags etc.
This Is a security feature in rails3 .
But I don't want the <p> tags to be displayed , I want it to be rendered as HTML.
One way I found was <%= something.detail.html_safe %>
the other way I thought was to create a function in model like
def detail_safe
return self.detail.html_safe
end
and display using <%= something.detail_safe %>
Either ways I need to change the <%= %> tag at many places. Is there an easier solution? Or should I manually change at every place?
Thank you.
In the model:
def detail
self[:detail].html_safe if self[:detail]
end
Please note that you will always get html_safe output in this case when you do model_object.detail.
Not matter how you do it, you will have to change all of your <%= %>.
Your options are:
<%= something.detail_safe %>
<%= something.detail.html_safe %>
<%= raw something.detail %>
The only other option I can think of is turning off XSS protection - but don't do that!
In a Rails 3 application I have a domain class where one attribute stores pure HTML content (it's a blog app, the domain class is Post).
In the ERB templates, I need to display the content of the attribute as it was formmated, with the HTML tags in place. But, Rails is escaping all HTML tags! How can I disable this behaviour for this class attribute?
Example:
somePost = Post.new
somePost.content = "<strong> Hi, i'm here! </strong>"
In the erb template:
<%= somePost.content %>
The HTML generated is escaped:
<strong> Hi, i'm here! </strong>
Try using raw(somePost.content). Alternatively, somePost.content.html_safe.
Use raw(string), as described in the release notes.
7.4.3 Other Changes
You no longer need to call h(string) to escape HTML output, it is on by default in all view templates. If you want the unescaped string, call raw(string).
Basically, where you did
<%=h #model.attr %>
before you can now use
<%= #model.attr %>
and where you did that before you can now use
<%=raw #model.attr %>
Using a double equals means the result is not escaped...
<%== somePost.content %>
See this SO question about it - What does <%== %> do in rails erb?