html-safe

Rails3 CSV putting "" instead of actual quotes

狂风中的少年 提交于 2020-01-03 15:34:14
问题 Similar to this question except I don't use html_safe anywhere in the whole project. I generate a CSV file in index.csv.erb like this: <%= response.content_type = 'application/octet-stream' CSV.generate do |csv| @persons.each do |person| csv << [ person[:name], person[:nickname] ] end end %> PROBLEM: If nickname is NULL in the database (ActiveRecord/MySQL) then the CSV file associated element becomes "" . I would expect "" , or even nothing at all. Result file sample: Nicolas, Nico Joe, ""

best_in_place and html_safe

家住魔仙堡 提交于 2019-12-24 11:58:04
问题 I'm using the best_in_place gem in my rails app to allow for inline editing. I'm running into issues with trying to render some text html safe. Without specifying that the text should be made html_safe, this is what it looks like on the page: I looked at the best_in_place documentation and tried adding the following lines to render the text html safe: <div id="projectOverviewDescription"> <p> <%= best_in_place @project.overview, :description, :path => project_step_path(@project, @project

Is <span style=…> safe for sanitize?

对着背影说爱祢 提交于 2019-12-21 05:04:29
问题 I am using a rich text editor (CKEditor) and I have the opportunity to let users create profiles that are displayed to other users. Many of the attributes CKEditor can control are being lost when I display them as: <%= sanitize(profile.body) %> My question is: is it safe to allow the attribute 'style' to be parsed? This would allow things like text color, size, background color, centering, indenting, etc. to be displayed. I just want to be sure it won't allow a hacker access to something I

Messy &quot returned from Rails 3 controller to view

我的未来我决定 提交于 2019-12-06 12:13:20
问题 On my Rails 3 app controller I have the following code: array = [] Location.all.each{|x|array<<x.city.html_safe} @data_dump = array In the Rails console it looks nice and clean: ["Littelside", "Tessmouth"] In my view the @data_dump object gets encoded: ["Littelside", "Tessmouth"] How do you clean this mess up? I want my object in view, to return as the object does in terminal. Thanks in advance! 回答1: What about: <%=raw @data_dump %> 来源: https://stackoverflow.com/questions/6131347/messy-quot

Parsing newline characters in textareas without allowing all html tags

荒凉一梦 提交于 2019-12-05 00:14:14
问题 I have a textarea field where users can enter content. When it comes to displaying their entry on a page, rails returns \n for each line break, which appears as no break at all for html on the page. From what I gather, the standard way of getting around this is a .gsub command, replacing \n with <br /> , and then a .html_safe on the end to ensure the <br /> renders. The problem is, I don't want to html_safe the content - html should still be replaced, but <br /> tags should be injected into

Forcing HTML Escaping in Rails 3

…衆ロ難τιáo~ 提交于 2019-12-04 17:49:32
问题 I'm running into an issue with the rails auto-escaping. It currently thinks a string is html_safe (which it is), but for display purposes I need it to still escape the html. Here's the steps the string is taking. my_string = render(:partial => "set_string", :locals => {:item => @item}) <%= my_string %> and the partial is basically <h2>Page Header</h2> <strong><%= item.name %></strong> <%= item.body %> etc My understanding is that because I'm displaying text in a view directly (the h2, etc) it

Messy &quot returned from Rails 3 controller to view

旧街凉风 提交于 2019-12-04 16:07:18
On my Rails 3 app controller I have the following code: array = [] Location.all.each{|x|array<<x.city.html_safe} @data_dump = array In the Rails console it looks nice and clean: ["Littelside", "Tessmouth"] In my view the @data_dump object gets encoded: [&quot;Littelside&quot;, &quot;Tessmouth&quot;] How do you clean this mess up? I want my object in view, to return as the object does in terminal. Thanks in advance! What about: <%=raw @data_dump %> 来源: https://stackoverflow.com/questions/6131347/messy-quot-returned-from-rails-3-controller-to-view

Is <span style=…> safe for sanitize?

不问归期 提交于 2019-12-03 16:16:17
I am using a rich text editor (CKEditor) and I have the opportunity to let users create profiles that are displayed to other users. Many of the attributes CKEditor can control are being lost when I display them as: <%= sanitize(profile.body) %> My question is: is it safe to allow the attribute 'style' to be parsed? This would allow things like text color, size, background color, centering, indenting, etc. to be displayed. I just want to be sure it won't allow a hacker access to something I don't know about! is it safe to allow the attribute 'style' to be parsed? No. background-image: url

Forcing HTML Escaping in Rails 3

拈花ヽ惹草 提交于 2019-12-03 11:58:21
I'm running into an issue with the rails auto-escaping. It currently thinks a string is html_safe (which it is), but for display purposes I need it to still escape the html. Here's the steps the string is taking. my_string = render(:partial => "set_string", :locals => {:item => @item}) <%= my_string %> and the partial is basically <h2>Page Header</h2> <strong><%= item.name %></strong> <%= item.body %> etc My understanding is that because I'm displaying text in a view directly (the h2, etc) it assumes it is safe, and it also properly escapes the item outputs, which makes the whole my_string

Rails 3 Submit Tag + html_safe

天涯浪子 提交于 2019-12-02 00:32:46
问题 What's wrong with this line of code? <%= submit_tag "Delete <i class='icon-check'></i>".html_safe, :disable_with => "Deleting", :class => "btn btn-danger"%> This literally produces: Evidently my html_safe call isn't doing anything. Background: I'm using Twitter Bootstrap as well as Font Awesome and I'm essentially trying to achieve a submit button with an icon inside of it. 回答1: To extend on Lukas' answer I needed a button tag rather than an input. This code produced the effect I was looking
订阅 html-safe