Posts Tagged safe html
“How to allow some safe HTML in Rails projects”
| compatible |  |
- Any Ruby / Ruby On Rails version
This function ae_some_html converts all HTML special symbols to HTML entities:
- & to &
- < to <
- > to >
Afterwards it parses escaped string with regular expressions replacing safe constructions with proper HTML code.
Here is the source code of the function:
def ae_some_html(s) # converting newlines s.gsub!(/\r\n?/, “\n“) # escaping HTML to entities s = s.to_s.gsub(‘&’, ‘&’).gsub(‘<’, ‘<’).gsub(‘>’, ‘>’) # blockquote tag support s.gsub!(/\n?<blockquote>\n*(.+?)\n*<\/blockquote>/im, “<blockquote>\\1</blockquote>”) # other tags: b, i, em, strong, u %w(b i em strong u).each { |x| s.gsub!(Regexp.new(‘<(’ + x + ‘)>(.+?)</(’+x+‘)>’, Regexp::MULTILINE|Regexp::IGNORECASE), “<\\1>\\2</\\1>”) } # A tag support # href=”" attribute auto-adds http:// s = s.gsub(/<a.+?href\s*=\s*[‘”](.+?)[”‘].*?>(.+?)<\/a>/im) { |x| ‘<a href=”‘ + ($1.index(‘://’) ? $1 : ‘http://’+$1) + “\”>” + $2 + “</a>” } # replacing newlines to <br> ans <p> tags # wrapping text into paragraph s = “<p>” + s.gsub(/\n\n+/, “</p>\n\n<p>”). gsub(/([^\n]\n)(?=[^\n])/, ‘\1<br />’) + “</p>” send
The function allows following HTML:
- <a href=”URL”> link </a> (only href attribute)
- <b>bold</b>
- <blockquote>
blockquote
</blockquote>
- <em>emphasis</em>
- <i>italic</i>
- <strong>strong</strong>
- <u>underlined</u>
Any of unclosed or broken tags will not be converted to HTML.
As you can see this function also replaces line breaks with <br
/>(single line break) and <p>(two or more line breaks) tags.
Usage example:
s = “Test is a <b>test</b><blockquote> >>><em>It Works!</em><<< </blockquote> <a href=’anyexample.com’>Linking</a> works!<b>Broken HTML does not work: </i>“ print ae_some_html(s)
HTML result is:
It is possible to put ae_some_html call in before_save function of your Model class. For example:
class Comment < ActiveRecord::Base belongs_to :user validates_length_of :text, :minimum => 3 # copy-paste ae_come_html here # or to separate .rb file in lib folder (and ‘require’ it) def before_save # text_view field is for View # original text field saved for editing self.text_view = ae_some_html(self.text) # if you don’t need to save original text # just do # self.text = ae_some_html(self.text) end end
You can also add ae_some_html to app/helpers/application_helper.rb
and call it directly from application templates. This approach usually
requires caching techniques to avoid unnecessary ae_some_html calls.
| warning | |
- For performance reasons, you should better use ae_some_html to process text once, when storing it in database (in Model).
- Because ae_some_html does one-way conversion, you should store original text if editing is necessary.
http://www.anyexample.com/webdev/rails/how_to_allow_some_safe_html_in_rails
Powered by ScribeFire.
Add comment January 5, 2008
