Hi, i was trying something to upload using an area text which the data will be shown as html using the sanitize method. Everything ok, about scripts, but when i tried <!-- comment --> it escaped the < Why this? Is it a bug of sanitize? I knew that an html comment it''s just a comment, so why escape it? And if it isn''t a bug, is it possible to don''t escape the < ? Or is it safer to escape it? why? Thanks -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Mix Mix wrote:> Hi, i was trying something to upload using an area text which the data > will be shown as html using the sanitize method. > Everything ok, about scripts, but when i tried <!-- comment --> it > escaped the < > Why this? Is it a bug of sanitize? I knew that an html comment it''s just > a comment, so why escape it? And if it isn''t a bug, is it possible to > don''t escape the < ? Or is it safer to escape it? why?sanitize doesn''t know about HTML semantics or tags. It just knows about HTML characters, and so it happily goes about encoding your lesser-than sign. It''s proper behavior too, because you generally don''t want people to embed hidden HTML. You want to output everything they put into that textarea. -- Roderick van Domburg http://www.nedforce.com -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Roderick van Domburg wrote:> sanitize doesn''t know about HTML semantics or tags. It just knows about > HTML characters, and so it happily goes about encoding your lesser-than > sign. > > It''s proper behavior too, because you generally don''t want people to > embed hidden HTML. You want to output everything they put into that > textarea. > > -- > Roderick van Domburg > http://www.nedforce.comMmm...ok, and what if i want to hide that comments? Is it possible to add to sanitize the rule to skip them? In the api there is this: You can modify what gets sanitized by defining VERBOTEN_TAGS and VERBOTEN_ATTRS before this Module is loaded. And nothing else... -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Mix Mix wrote:> Roderick van Domburg wrote: >> sanitize doesn''t know about HTML semantics or tags. It just knows about >> HTML characters, and so it happily goes about encoding your lesser-than >> sign. >> >> It''s proper behavior too, because you generally don''t want people to >> embed hidden HTML. You want to output everything they put into that >> textarea. > > Mmm...ok, and what if i want to hide that comments? Is it possible to > add to sanitize the rule to skip them? > In the api there is this: You can modify what gets sanitized by defining > VERBOTEN_TAGS and VERBOTEN_ATTRS before this Module is loaded. > And nothing else...No, sanitize can''t do that for you. You''d need to write a custom sanitizer, splitting the input, keeping your comments, and sanitizing the rest possibly using Rails'' default sanitizer. -- Roderick van Domburg http://www.nedforce.com -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Roderick van Domburg wrote:> > No, sanitize can''t do that for you. You''d need to write a custom > sanitizer, splitting the input, keeping your comments, and sanitizing > the rest possibly using Rails'' default sanitizer. > > -- > Roderick van Domburg > http://www.nedforce.commmm... ok, so i think that it''s better to do something directly in the model like def before_save self.text = self.text.gbus(/<!--(.|\s)*?-->/, '''') end it should work... :) -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---