I installed Redcloth into my app so that it could use Textile. However, it seems that textilize (the function used to parse the Textile stuff) and h aren''t compatible. If I do <%= textilize h @mymessage %> it doesn''t work. If I take out the h it works but then I leave myself open to XSS. Is there a way to get around this? Essentially I was trying to allow users to do basic HTML functions and weed out javascript. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
h(textilize(@mymessage)) ----- Ryan Bigg Freelancer http://frozenplague.net On 12/01/2009, at 2:50 PM, Mike C wrote:> > I installed Redcloth into my app so that it could use Textile. > However, it seems that textilize (the function used to parse the > Textile stuff) and h aren''t compatible. If I do <%= textilize h > @mymessage %> it doesn''t work. If I take out the h it works but then I > leave myself open to XSS. Is there a way to get around this? > Essentially I was trying to allow users to do basic HTML functions and > weed out javascript. > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
That doesn''t work since textilize parses it into html and then h will, of course, take those away. Anyways I found a solution to my problem. It seems that you shouldn''t use textilize but just use RedCloth.new (message, [:filter_html]) On Jan 11, 8:59 pm, Ryan Bigg <radarliste...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> h(textilize(@mymessage)) > ----- > Ryan Bigg > Freelancerhttp://frozenplague.net > > On 12/01/2009, at 2:50 PM, Mike C wrote: > > > > > I installed Redcloth into my app so that it could use Textile. > > However, it seems that textilize (the function used to parse the > > Textile stuff) and h aren''t compatible. If I do <%= textilize h > > @mymessage %> it doesn''t work. If I take out the h it works but then I > > leave myself open to XSS. Is there a way to get around this? > > Essentially I was trying to allow users to do basic HTML functions and > > weed out javascript.--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---