tinymce output and rails

Skip to first unread message

Alan S

Feb 11, 2010, 1:25:17 AM2/11/10
to tinymce_hammer
I am new to rails and new to tinymce. I have been able to successfully
install tinymce_hammer on rails-2.3.5 and everything seems to be
working fine. I am now playing around with configurations. My question
is if there is some option I can set so that rails displays the output
from tinymce as html rather than escaping it out as literals so that
the tags are visible in the browser? Thanks!

Trevor Rowe

Feb 11, 2010, 10:59:22 AM2/11/10
to tinymce...@googlegroups.com
By default (for not at least) Rails does not auto escape content (there is discussion that rails 3 will consider all output dirty and escape everything by default).

That said I'm guessing the output is probably being passed through the h function (which html escapes the string passed in). If this is not the problem, please feel free to post the view so I can help troubleshoot it.

> --
> You received this message because you are subscribed to the Google Groups "tinymce_hammer" group.
> To post to this group, send email to tinymce...@googlegroups.com.
> To unsubscribe from this group, send email to tinymce_hamme...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/tinymce_hammer?hl=en.

Alan S

Feb 11, 2010, 11:49:53 PM2/11/10
to tinymce_hammer
Thanks for the reply. Yes, the output is being passed through the h
function. I have read all kinds of warnings not to disable this
protection. So my question is, if you are not running output through
the h function, what if any protections (e.g. white-list plugin etc.)
have you put in place and have you had any issues on your production

Trevor Rowe

Feb 12, 2010, 10:24:16 AM2/12/10
to tinymce...@googlegroups.com
I use TinyMCE in production in two ways.

1) Its available through an administrative interface where only trusted users can enter content. This gets inserted into the db and views w/out escaping.
2) Public users entering content through tinymce get their contented filtered twice. First I use TinyMCE's own configuration to do a coarse first pass filtering and then I use the HTML Sanitize gem to do a strict filtering before the content is inserted into the db. Once in the db is should be "trustworthy" so it can be placed into the view without a call to the h function.

Here are the configurations I use for each:


[:valid_elements, "a[href|title],blockquote[cite],br,caption,cite,code,dl,dt,dd,em,i,img[src|alt|style|title|width|height|align],li,ol,p,pre,q[cite],small,strike,strong/b,sub,sup,u,ul"]

HTML Sanitizer

:protocols => {
"a" => { "href" => ["ftp", "http", "https", "mailto", :relative] },
"img" => { "src" => ["http", "https", :relative] },
"blockquote" => { "cite" => ["http", "https", :relative] },
"q" => { "cite" => ["http", "https", :relative] },
:attributes => {
"a" => ["href", "title"],
"img" => ["src", "style", "alt", "title", "width", "height", "align"],
"blockquote" => ["cite"],
"q" => ["cite"],
:elements => %w(
a b blockquote br caption cite code dl dt dd em i img
li ol p pre q small strike strong sub sup u ul

TinyMCE isn't capible enough to safely do all the filtering, so I use both.

- Trevor Rowe

Reply all
Reply to author
0 new messages