The question says it all. If I put HTML directly into the (JSON-formatted) translation file, like this:
"test_html" : "click <a href='http://stackoverflow.com/'>here</a>",
I get this in my HTML:
click <a href='http://stackoverflow.com/'>here</a>
I also tried combining this in my translation file:
"test_html_placeholder" : "click %shere%s",
With this in my HTML:
<%= __('test_html_placeholder', '', '') %>
But got similar results.
The only thing I can get to work is this clumsiness:
"test_html_pre" : "click ",
"test_html_link" : "here",
"test_html_post" : ".",
with this:
<%= __('test_html_pre') %><%= __('test_html_link') %><%= __('test_html_post') %>
But it's so cumbersome as to be almost not worth doing, and moreover the word order in some languages would force me to put some empty strings in my translation files, which i18n-node doesn't seem to like as it spits out the key (attribute) name when it
encounters an empty string.
I also tried using "\" as an escape character in front of the symbols, but I got an invalid JSON error when I lifted sails (restarted the server).
Any ideas, workarounds? I'm using sails.js, it wasn't my decision but I'm stuck with it and it comes with i18n-node. It's kind of late in the day on this project to consider using another library, but not completely out of the question.
beside of any upcoming discussion whether to include (html-)code in language files or not:
try to use
<%- __('click') %>
instead of
<%= __('click') %>
in ejs (the sails default template engine) a '<%=' will escape any html tags while '<%-' puts output as is without touching it. I am pretty sure you'll find unescaped html in your .json files. i18n doesn't do any transformation other than JSON.stringify() but almost all template engines do escape strings by default to prevent xssi.
For those using pug/jade, you can use
!{ __('key_for_your_text') }
Another option for pug is using
p!= __('key_for_your_text')
Related
I have a requirement where I need to make links clickable in text while keeping any other html tags as text (not html_safe). This means I cannot make the entire text html_safe as that will render the other html tags and I cannot sanitize the text and remove the other html tags. I've seen other websites handle this by making the html_safe links and other text on their own lines. It looks like the following when inspecting the html.
<span>
"This is an "
https://example.com/
"other <b>HTML</b>"
</span>
What would be the best way to do this in Rails 4?
When you call .html_safe on a string your actually getting an object that behaves like a string but is a ActiveSupport::SafeBuffer. When you append a string to a ActiveSupport::SafeBuffer its automatically escaped. Lets say you want to construct a span where the text is user input:
'<span>'.html_safe + text +'</span>'.html_safe
In this case we are safe against an XXS attack as the user originated text is automatically escaped:
irb(main):004:0> "<span>".html_safe + "<script>alert('You have been haxxored!')</script>" + "</span>".html_safe
=> "<span><script>alert('You have been haxxored')</script></span>"
That's what happens automatically when you output a variable in your views as the view is constructed as a ActiveSupport::SafeBuffer. Whenever you output a regular string it will be automatically escaped thus its secure by default.
Of course there is always going to be a huge number of programmers that just give proceed to give themselves a XSS vulnerability out of ignorance:
# WAAAH! Rails is escaping my tags! Bad rails!
'<span>'+ text +'</span>'.html_safe
Another way to approach the problem is to use the tag helpers, partials or Nokogiri instead of using string concatenation to construct HTML which in itself is tedious, borderline unreadible and error prone.
I was able to get this working using the following.
#module ApplicationHelper
def url_regexp
#url_regexp ||= %r{
(?:(?:https?|ftp|file):\/\/|www\.|ftp\.)
(?:\([-A-Z0-9+&##\/%=~_|$?!:,.]*\)|
[-A-Z0-9+&##\/%=~_|$?!:,.])*
(?:\([-A-Z0-9+&##\/%=~_|$?!:,.]*\)|
[A-Z0-9+&##\/%=~_|$])
}ix
end
#in the view
<%- "This is a test https://example.com".partition(url_regexp).each do |text| %>
<%- if text =~ url_regexp %>
<%= "<a href='#{text}' target='_blank'>#{text}</a>".html_safe %>
<%- else %>
<%= text %>
<% end %>
The intent is to do what you think this would achieve, except doing so without using erb.
= link_to 'text', some_path, id: <%= #name %>
What is the most elegant way to do somethign like this in haml? Should you just use haml and erb in a *.haml.erb file?
As #matt pointed out, the best way to "convert" that line to strictly haml is the following
= link_to 'text', some_path, id: #name
Please note, you should use either 'text' or "text", and not mix the quotes (like you did in your question). And, if needed, convert #name to an int or a string. If it is an object with several attributes, it will print the object/relation ID for ActiveRecord, so specify an attribute (#name.first_name)
I also suggest that you stick strictly with either haml or erb. It makes life easier when comparing multiple views as once (making sure all index pages look the same). Haml is also very powerful, while being easy on the eyes.
I would expect that the following:
<div style="padding-top:90px;"><%= u.one_line %></div>
simply pulls whatever is in u.one_line (which in my case is text from database), and puts it in the html file. The problem I'm having is that sometimes, u.one_line has text with formatted html in it (just line breaks). For example sometimes:
u.one_line is "This is < / b r > awesome"
and I would like the page to process the fact that there's a line break in there... I had to put it with spaces up ^^^ here because the browser would not display it otherwise on stackoverflow. But on my server it's typed correctly, unfortunately instead of the browser processing the line break, it prints out the "< / b r>" part...
I hope you guys understand what I mean :(?
always remember to use raw or html_safe for html output in rails because rails by default auto-escapes html content for protecting against XSS attacks.
for more see
When to use raw() and when to use .html_safe
I'm currently writing Javascript in a mako file, and on one line, I have to check whether two strings are equal. The string I'm checking against has "<%text" within it, so I used to get an error saying there's no tag named text. I escaped that by adding a second % to get "<%%text". But now, I'm getting the following error.
SyntaxException: Expected: %> in file file.mako
What is the problem?
"<%" and "%>" are reserved symbols in Mako. If they appear in your template, Mako will assume that you mean to escape a python code block. Here is an example of what I mean:
"""
<%
some_var = 'foo'
other_var = '{0} bar'.format(some_var)
%>
"""
Take a look at http://docs.makotemplates.org/en/latest/syntax.html#python-blocks for more details
Excuse the quotes, "<%" and "%>" are also reserved symbols in the Stack Overflow WYSIWYG editor.
If the Javascript variables you are comparing contain reserved symbols, you will have to find another way of comparing them. Perhaps you could use the unicode entity for the percent sign:
For example:
if ('<%' == '<\u0025') {
alert('success!');
}
I just had a broken string variable which broke the logic, and fail on the un-related <% ... %>
Example:
<%
variable = 'this won't work'
# ^^^
%>
I have a helper method for my Rails app that returns a string with HTML code for a Google Groups subscription form. Unfortunately, it comes out on the page like plain text. How can I force it to render as HTML?
Thanks in advance.
The result of your helper needs to be marked as "html_safe" in Rails 3. Otherwise, the tags will be escaped.
def my_helper
data = "<p>Hello!</p>"
data.html_safe
end
I suppose it was a problem with Rails html sanitize.
from rails changelog
You no longer need to call h(string)
to escape HTML output, it is on by
default in all view templates. If you
want the unescaped string, call
raw(string).
try it
One thing to watch out for is when joining multiple strings like this
def custom_check_box(checked)
'<span class="my-custom-checkbox '+( checked ? 'checked' : '')+'"></span>'.html_safe
end
In this case, only the last part is marked as html safe. Make sure you get the whole thing.
def custom_check_box(checked)
('<span class="my-custom-checkbox '+( checked ? 'checked' : '')+'"></span>').html_safe
end