Hi all, I am trying to add an article editing interface to my future webstore, and I am wondering what to use for text formatting. I would like to avoid using HTML, and calibre-bbcode just won''t work (see my last post). Is there some kind of library for live text formatting right in the browser? I would just need bold, italics, size and ul lists... Do you know of a good solution? Thank you very much Nauhaie -- Posted via http://www.ruby-forum.com/.
In fact, what I would like is a ROR equivalent for http://www.kevinroth.com/rte/demo.php Thank you! Nauhaie -- Posted via http://www.ruby-forum.com/.
User TinyMCE. I''ve implemented it with a helper function in most of my applications: 1) Download TinyMCE from the the website and stick the .js files in the javascript directoy. 2) Include this in your application_helper.rb # # TinyMCE Helpers # def javascript_include_tinymce javascript_include_tag "tiny_mce/tiny_mce" end def include_tiny_mce "#{javascript_include_tinymce}"+ ''<script language="javascript" type="text/javascript"> tinyMCE.init({ mode : "textareas", theme : "advanced", plugins : "advhr,advimage,advlink,preview,searchreplace,print", theme_advanced_buttons2_add : "separator,insertdate,inserttime,prev theme_advanced_buttons3_add_before : "tablecontrols,separator", theme_advanced_toolbar_location : "top", theme_advanced_toolbar_align : "left", theme_advanced_path_location : "bottom", plugin_insertdate_dateFormat : "%Y-%m-%d", plugin_insertdate_timeFormat : "%H:%M:%S", extended_valid_elements : "a[name|href|target|title|onclick],img[cl external_link_list_url : "example_data/example_link_list.js", external_image_list_url : "example_data/example_image_list.js", flash_external_list_url : "example_data/example_flash_list.js" }); </script>'' end 3) Use "include_tiny_mce" function in your .rhtml file, and bam. You can change the functionallity on the TinyMCE by changing "theme_advanced" properties in the helper above. Chris Nauhaie wrote:> In fact, what I would like is a ROR equivalent for > http://www.kevinroth.com/rte/demo.php > > Thank you! > Nauhaie-- Posted via http://www.ruby-forum.com/.
Wow, that''s cool! I am going to use this I think! Thanks a lot! One more question: is tinyMCE safe for letting users post comments? I mean, is the output correctly cleared of cross-site-scripting vulnerabilities? Nauhaie -- Posted via http://www.ruby-forum.com/.
It''s your application''s job to ensure form data is sanitized before anything important is done with it. Even if TinyMCE or something like it returned scrubbed HTML, it can''t do anything to stop a malicious user from bypassing your form and passing bad data to your app. This is not a Rails thing. It''s a basic rule of web development. Nauhaie wrote:> Wow, that''s cool! > > I am going to use this I think! Thanks a lot! > > One more question: is tinyMCE safe for letting users post comments? I > mean, is the output correctly cleared of cross-site-scripting > vulnerabilities? > > Nauhaie-- Posted via http://www.ruby-forum.com/.
Steve Koppelman wrote:> It''s your application''s job to ensure form data is sanitized before > anything important is done with it. Even if TinyMCE or something like it > returned scrubbed HTML, it can''t do anything to stop a malicious user > from bypassing your form and passing bad data to your app.So, correct me if I am wrong: for it is almost impossible to sanitize HTML, I think I had better use Textile or Markdown for user reviews, and restrict TinyMCE for the body of the articles (modified by trusted admins)... Thank you for your help! -- Posted via http://www.ruby-forum.com/.
rails do have a sanitize(html) helper which "should" do the trick .. i haven''t used it but if it works as advertized you could just use that to sanitize anything comming from untrusted users. see http://rubyonrails.com/rails/classes/ActionView/Helpers/TextHelper.html#M000516 On 5/1/06, Nauhaie <noe.cuneo@laposte.net> wrote:> > Steve Koppelman wrote: > > It''s your application''s job to ensure form data is sanitized before > > anything important is done with it. Even if TinyMCE or something like it > > returned scrubbed HTML, it can''t do anything to stop a malicious user > > from bypassing your form and passing bad data to your app. > > So, correct me if I am wrong: for it is almost impossible to sanitize > HTML, I think I had better use Textile or Markdown for user reviews, and > restrict TinyMCE for the body of the articles (modified by trusted > admins)... > > Thank you for your help! > > -- > Posted via http://www.ruby-forum.com/. > _______________________________________________ > Rails mailing list > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails >-------------- next part -------------- An HTML attachment was scrubbed... URL: http://wrath.rubyonrails.org/pipermail/rails/attachments/20060501/2d62fc04/attachment.html
Textile and Markdown pertain to output. TinyMCE is an inline editor that pertains to input. In general, it is no more or less safe than a regular textarea. Use whatever you want, but just make sure that when you output user-supplied HTML to the browser that it has been cleaned at some point. Look at the sanitize() method in Rails. Plenty of web applications use inline WYSIWYG HTML editors safely. You just have to make sure that yours does, too. Nauhaie wrote:> Steve Koppelman wrote: >> It''s your application''s job to ensure form data is sanitized before >> anything important is done with it. Even if TinyMCE or something like it >> returned scrubbed HTML, it can''t do anything to stop a malicious user >> from bypassing your form and passing bad data to your app. > > So, correct me if I am wrong: for it is almost impossible to sanitize > HTML, I think I had better use Textile or Markdown for user reviews, and > restrict TinyMCE for the body of the articles (modified by trusted > admins)... > > Thank you for your help!-- Posted via http://www.ruby-forum.com/.