In a Rails 3 application I have a domain class where one attribute stores pure HTML content (it's a blog app, the domain class is Post).
In the ERB templates, I need to display the content of the attribute as it was formmated, with the HTML tags in place. But, Rails is escaping all HTML tags! How can I disable this behaviour for this class attribute?
Example:
somePost = Post.new
somePost.content = "<strong> Hi, i'm here! </strong>"
In the erb template:
<%= somePost.content %>
The HTML generated is escaped:
<strong> Hi, i'm here! </strong>
Try using raw(somePost.content). Alternatively, somePost.content.html_safe.
Use raw(string), as described in the release notes.
7.4.3 Other Changes
You no longer need to call h(string) to escape HTML output, it is on by default in all view templates. If you want the unescaped string, call raw(string).
Basically, where you did
<%=h #model.attr %>
before you can now use
<%= #model.attr %>
and where you did that before you can now use
<%=raw #model.attr %>
Using a double equals means the result is not escaped...
<%== somePost.content %>
See this SO question about it - What does <%== %> do in rails erb?
Related
I have a file, let's say index.ejs which I render using express this way:
res.render('index.ejs', {
projectName: req.params.name
}
Inside this ejs file, I include another file, let's say base.ejs.
I'm trying to pass the variable projectName to base.ejs.
I have tried the following approaches:
<%- include("path/to/base.ejs", {projectName: projectName})" %>
<%- include("path/to/base.ejs", {projectName: <%=projectName%>})" %>
<%- include("path/to/base.ejs", {projectName: '<%=projectName%>'})" %>
None of them seem to work.
This is a similar answer I found how to include a template with parameters in EJS? but it doesn't seem to solve my problem.
You don't actually need to pass the variable to the include statement as you have been doing, just use the variable in your base.ejs file as follows
<%= projectName %>
When using the include statement you can simply declare
<% include path/to/base %>
I finally figured out how to implement pg_search's multisearch feature. But I'm having trouble making a usable search results page that displays links back to the various articles and faqs that contain the search terms. It's a pretty basic setup using Rails 3.2.3:
Models:
I have an Articles and a Faqs model, both with "Title" and "Content" attributes, and this code in both models:
include PgSearch
multisearchable :against => [:title, :content]
Search Form View Code:
The search form passes everything to a controller called "results."
<%= form_tag result_index_path, method: :get do %>
<%= text_field_tag :query, params[:query] %>
<%= submit_tag "GO", name: nil %>
<% end %>
Results Controller:
class ResultController < ApplicationController
def index
#pg_search_documents = PgSearch.multisearch(params[:query])
end
end
I would like to make a search results page that displays the title of each result found, with a link back to that item. I figured out how to pull the 'class' attribute out #pg_search_documents. My thinking is to do something like this on the results page:
<ul>
<% #pg_search_documents.each do |pg_search_document| %>
<li><%= link_to pg_search_document.searchable.title, "../#{pg_search_document.searchable.class}/#{pg_search_document.searchable.id}" %></li>
<% end %>
</ul>
An example link that this code yields is: http://localhost/Article/3. If I could figure out how to downcase and pluralize "pg_search_document.searchable.class", I'd be home free. I've tried writing various methods in the model and controller, and tried writing a helper. But this is where my Rails skills fail me.
Any suggestions? Anybody know of a more elegant way of accomplishing this? Any ideas / suggestions are very much appreciated.
I did something similar and just used
<%= link_to pg_search_document.searchable.title, pg_search_document.searchable %>
to let Rails dynamically create the path to the associated record.
Well, it's amazing what walking away from the problem for a little while does. That, and more persistent Googling on basic Ruby. Here's the solution I came up with:
<ul>
<% #pg_search_documents.each do |pg_search_document| %>
<li><%= link_to pg_search_document.searchable.title, "../#{(pg_search_document.searchable.class).to_s.downcase!.pluralize}/#{pg_search_document.searchable.id}" %></li>
<% end %>
</ul>
Still, this seems ugly to me. I'd still be very interested to see something more streamlined and intelligent.
My attempt to place a hidden_field within a form_for is crashing within cucumber on an ActionView helper error. Something also about FixNum which escapes me since I haven't dug through the source code. My prices_controller shows this:
#price = Price.new
#commodity = Commodity.find(params[:id])
I want to make the link between price and commodity with this hidden_field:
<%= form_for (#price), :url => prices_path do |f| %>
<% f.hidden_field :commodity_id, #commodity.id %>
.
.
<div class="actions">
<%= f.submit "Submit" %>
</div>
Looked at the form_for api and the above should work. Reading other replies on stackoveflow, I have put the hidden_field in its own div within the form, added a Hidden_field_tag, and placed it within the actions div before the submit line. Looking at the merge msg, I guess it doesn't like something about the line, but it appears OK to me. The commodity_id field is the match field, sam
If you could paste the error message itself, and the relevant lines of the trace, it could help us. Right now, the only thing I see is that the ERB tag before f.hidden_field should be <%=, and I'm not sure about it since I don't use ERB. For what it's worth, merge is usually used with Hash objects. Maybe it can point you in the right direction
EDIT Ok I get it. You have to write f.hidden_field :commodity_id, :value => #commodity.id.
I have some simple erb code in one of my views in a rails project.
<%= comment.body %>
I'd like the html tags in the comment.body to be preserved as they have formatting information. I've verified that the text is saved in the database properly like
<b>hello</b>
However it turns out on the page to be <b>hello</b> not hello as I expect.
How could this be? I'm not using <%= h to escape the html code.
How do I make it not escaping? I'm using rails 3. Does this matter?
You can also use sanitize.
<%= sanitize(comment.body) %>
sanitize will leave html code but escape javascript.
Rails 3 now automatically escapes your output.
To unescape the text and use the actual tags, use raw(...):
<%= raw(comment.body) %>
However, be careful with this, as it will allow any tags, including scripts (potentially malicious). A safer option might be to have users use markdown-formatted text or something similar, rather than allowing raw HTML tags.
I am trying to store content of tinyMCE into "detail" coloumn.
Now when I display the content it displays wit all the <p> tags <i> tags etc.
This Is a security feature in rails3 .
But I don't want the <p> tags to be displayed , I want it to be rendered as HTML.
One way I found was <%= something.detail.html_safe %>
the other way I thought was to create a function in model like
def detail_safe
return self.detail.html_safe
end
and display using <%= something.detail_safe %>
Either ways I need to change the <%= %> tag at many places. Is there an easier solution? Or should I manually change at every place?
Thank you.
In the model:
def detail
self[:detail].html_safe if self[:detail]
end
Please note that you will always get html_safe output in this case when you do model_object.detail.
Not matter how you do it, you will have to change all of your <%= %>.
Your options are:
<%= something.detail_safe %>
<%= something.detail.html_safe %>
<%= raw something.detail %>
The only other option I can think of is turning off XSS protection - but don't do that!