Rails - Mar 2005 - Alternative to ''h'' method for sanitizing data from the database?

The ''h'' method for sanitizing HTML is nice and all, but
I''m in a
situation where I need the database to be able to have some kind of
limited markup, perhaps like UBB code or the markup that''s used in the
rails wiki. How is that done? It seems like a common problem and I''m
hoping to avoid writing my own markup parsing code, I was just
wondering if there''s any libraries out there that already do this.

Also, how do I make rails'' 404 pages be rendered using my
application.rhtml layout? That''d be really nice.

Please & thanks.

-- 
One Guy With A Camera
http://rbpark.ath.cx

Rob Park wrote:
> The ''h'' method for sanitizing HTML is nice and all, but
I''m in a
> situation where I need the database to be able to have some kind of
> limited markup, perhaps like UBB code or the markup that''s used in
the
> rails wiki. 
Check out textile -- http://www.hobix.com/textile/ -- a very nice 
text-markup language.

-- Steve

...and not to mention rails has it built-in:
http://rails.rubyonrails.com/classes/ActionView/Helpers/ 
TextHelper.html#M000325

You''ll need to install the RedCloth gem to use it.

- tim lucas

On 12/03/2005, at 4:47 PM, Steve Sloan wrote:
> Rob Park wrote:
>> The ''h'' method for sanitizing HTML is nice and all,
but I''m in a
>> situation where I need the database to be able to have some kind of
>> limited markup, perhaps like UBB code or the markup that''s
used in the
>> rails wiki.
>
> Check out textile -- http://www.hobix.com/textile/ -- a very nice  
> text-markup language.
>
> -- Steve

On Sat, 12 Mar 2005 17:36:49 +1100, Tim Lucas
<t.lucas-l/qNJNvq70OzaBltdDZI6w@public.gmane.org>
wrote:
> ...and not to mention rails has it built-in:
> http://rails.rubyonrails.com/classes/ActionView/Helpers/
> TextHelper.html#M000325
> 
> You''ll need to install the RedCloth gem to use it.
Thanks, RedCloth looks pretty slick, I like it already. Looks like
textilize doesn''t actually escape HTML stuff, though, so would it be
safe to do something like this?

<%=textilize h @some_string %>

Or would that throw textilize for a loop?

Oh, and is there a way to limit textilize to only certain tags? Like,
I want to disable most of textilize so that only a very limited number
of things can be done with it (think slashdot; they let you use a
handful of HTML tags in your posts, but things like tables are
disabled).

-- 
One Guy With A Camera
http://rbpark.ath.cx

On Sat, 12 Mar 2005 03:26:43 -0700, Rob Park
<rbpark-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> <%=textilize h @some_string %>
> 
> Or would that throw textilize for a loop?
Yeah, the ''h'' breaks some of the markup that textilize would
otherwise
use. For example, the textile code for making a link is:

"foobar":http://example.com/

However, if passed through ''h'' method, this becomes:

&quot;foobar&quot;:http://example.com/

So that breaks. I haven''t tested if anything else breaks, but that
breaks.

Basically, the only markup I need is for images, links, and a few
basic formatting things like bold or italic. I''d like to have all HTML
disabled, only limited markup. Textile is great markup, but textilize
doesn''t sanitize my html like ''h'' does, and
''h'' breaks some of the
textile markup, so they are not compatible.

Is there any way to do what I want to do without resorting to writing
my own markup language interpreter?

-- 
One Guy With A Camera
http://rbpark.ath.cx

On 13/03/2005, at 1:39 PM, Rob Park wrote:
> Is there any way to do what I want to do without resorting to writing 
> my own markup language interpreter?
...its not like you have to go define your own markup in EBNF. Why not 
just escape all angle brackets, and pump the rest through textilize?

If the textilize convenience function isn''t convenient enough for your 
needs you can always use RedCloth directly. The documentation for 
RedCloth shows a clean_html function, which sounds like it does exactly 
what you''re looking for.

- tim lucas