I have the following code: <%= link_to(image_tag(...)) %> The problem is that Rails sanitizes the images so it gets rendered as: <img src=... /> I could use html_safe, but that''s painful and makes my code less readable. In Rails2 I could declare a whitelist such as: config.action_view.sanitized_allowed_tags = ''a'', ''blockquote'', ''img'', ... But it doesn''t seem to work anymore. Did I miss anything in the transition from Rails 2 to 3? -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Agile Web development With Rails 3 p.91 awkwardly addresses the issue by using strip_tags() and skipping the explanation about how to let safe tags through. -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
> The problem is that Rails sanitizes the images so it gets rendered as: > > <img src=... /> > > I could use html_safe, but that''s painful and makes my code less > readable. >I do not have an actual solution for you but maybe these links are helpful: http://blog.plataformatec.com.br/tag/sanitize/ http://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Oh ok! I did not understand that now I had to use sanitize to kick the whitelist in. Thanks. -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Xavier Noria
2011-Feb-14 07:52 UTC
Re: Re: [Rails3] Whitelist Rails 3 aggressive sanitizer
I don''t understand the question.
In Rails 3 link_to does NOT escape the HTML produced by image_tag,
because the strings returned by these builtin helpers are marked as
html_safe:
∵ cat app/controllers/test_controller.rb
class TestController < ApplicationController
def index
render :inline => ''<%= link_to image_tag("foo")
%>''
end
end
∵ curl http://localhost:3000/test
<a href="/test"><img alt="Foo"
src="/images/foo" /></a>
Why is your application escaping the image tag?
--
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.
Fernando Perez
2011-Feb-14 08:37 UTC
Re: Re: [Rails3] Whitelist Rails 3 aggressive sanitizer
> Why is your application escaping the image tag?Because I do something such as: <%= link_to "#{image_tag(cart.png)} Cart", cart_url %> So really the image_tag is inside a string, hence its sanitization. -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Xavier Noria
2011-Feb-14 08:55 UTC
Re: Re: Re: [Rails3] Whitelist Rails 3 aggressive sanitizer
On Mon, Feb 14, 2011 at 9:37 AM, Fernando Perez <lists-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org> wrote:>> Why is your application escaping the image tag? > > Because I do something such as: > > <%= link_to "#{image_tag(cart.png)} Cart", cart_url %> > > So really the image_tag is inside a string, hence its sanitization.I see. I would write a helper link_to_cart whose implementation uses the raw helper. That''s the standard way to address this in Rails 3. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.