Ruby on Rails Slim Templates with HTML Entity Escaping - html

I have a RoR slim template with the following:
input(type="text" placeholder="I'm looking for…")
But sadly it outputs the HTML entity escape 'as-is' i.e. string literal. I'm using the rails gem 'slim' for template rendering the input field.
Desired output with the ellipsis character …
<input type="text" placeholder="I'm looking for…">
Actual output
<input type="text" placeholder="I'm looking for…">
I've tried adding a html_safe call to the end but to no avail e.g.
input(type="text" placeholder="I'm looking for…").html_safe
Thanks a bunch.

Self solved, simple solution, obvious answer - set of parenthesis needed:
input(type="text" placeholder=("I'm looking for…".html_safe))

According to Slim's website , Text is escaped by default. To prevent escape, prefix with double equals signs. So (un-intuitively),
input(type="text" placeholder=="I'm looking for…")
should work just as well.
For stand-alone unescapes, one could use
span.classname[onclick="document.getElementById('id01').style.display='none'"]
=="×"
Remember: make sure the escape character is surrounded by double quotes!

<%= text_field_tag nil, nil, placeholder: "I'm looking for…".html_safe %>
or give more info about your input helper

Related

interpolating HTML attributes in ERB for rails broken?

I want to interpolate an attribute and its value in an html tag.
If I only interpolate the value like this:
<span b="<%= "1 2 3"%>">
It works, resulting in:
<span b="1 2 3">
If I try to interpolate the attribute as well like this:
<span <%= "b='1 2 3'" %> >
Instead of the same result as before I get:
<span b="'1" 2="" 3'="">
what's going on? Where's the documentation describing this behavior?
UPDATE:
The extra quotes in the las example where added apparently by the browser, not ERB, that got me confused. ERB render the string as <span b="1 2 3"> so the browser assumes this is meant <span b=""1" 2="" 3"=""> and then resolve the entities.
What going on here is HTML escaping. In Rails unless you use raw or String#html_safe the entities in the string will be escaped which helps prevent cross site scripting attacks.
So if you do:
<span <%= raw "b='1 2 3'" %> >
This will produce the intended output. But a better way altogether is to use the tag helpers instead if the HTML you are creating is highly dynamic. String interpolation tends to get really lengthy and is hard to read.
<%= tag.span(b: "1 2 3") %>
<% end %>
Whatever hash arguments you pass are added as attributes to the tag.
you need to deeply understand the difference between using ' and "
' single quote - will out without any interpretation
"" double quotes - will output only after interpretation
in order to get the output you need, you can code like
<span <%= 'b="1 2 3"' %> >

How to ignore apostrophes in html tag?

I'm sure someone will mark this as a duplicate question but no other answers worked for me.
I am using ruby and passing a variable into my html page. Let's say my variable "camp_name" is equal to "abc'd"
<%=camp_name%>
This outputs "abc'd" which is what I want.
<input type="text" class="form-control" name="campaign_name" required value='<%=camp_name%>'>
The value in the field is now "abc" because of the single apostrophe. How do i get it to ignore apostrophes? Thanks.
You can escape the variable to html entities:
camp_name.gsub("'", "&apos;")
You should do that for other characters as well, because, as mentioned by a comment, the user could simply insert an HTML tag in your page with your current script. Probably the most important ones are the following:
camp_name.gsub("<", "<")
camp_name.gsub(">", ">")
If you're using Rack (which would definitely be in use if you're using Rails or Sinatra, and it might be there even if you're not), there is a builtin for escaping HTML for just this kind of thing. Calling Rack::Utils#escape_html will replace ampersands, brackets, and quotes with their HTML entities (e.g. &apos; instead of ').
In your case, you'd want the following code:
<input type="text" class="form-control" name="campaign_name" required value='<%= Rack::Utils.escape_html(camp_name) %>'>
This would evaluate to:
<input type="text" class="form-control" name="campaign_name" required value='abc&apos;d'>
which is the proper way of displaying an apostrophe in HTML.
Just as a side note, displaying user-submitted text without escaping on a website is a very bad idea, because malicious users can add arbitrary Javascript that could render your site useless, add advertisements, and more. You should definitely get into the habit of escaping any text that users can submit before displaying it, either by gsubing manually or using a helper method like this.

node.js: is there no way to put HTML into i18n-node JSON translation files?

The question says it all. If I put HTML directly into the (JSON-formatted) translation file, like this:
"test_html" : "click <a href='http://stackoverflow.com/'>here</a>",
I get this in my HTML:
click <a href='http://stackoverflow.com/'>here</a>
I also tried combining this in my translation file:
"test_html_placeholder" : "click %shere%s",
With this in my HTML:
<%= __('test_html_placeholder', '', '') %>
But got similar results.
The only thing I can get to work is this clumsiness:
"test_html_pre" : "click ",
"test_html_link" : "here",
"test_html_post" : ".",
with this:
<%= __('test_html_pre') %><%= __('test_html_link') %><%= __('test_html_post') %>
But it's so cumbersome as to be almost not worth doing, and moreover the word order in some languages would force me to put some empty strings in my translation files, which i18n-node doesn't seem to like as it spits out the key (attribute) name when it
encounters an empty string.
I also tried using "\" as an escape character in front of the symbols, but I got an invalid JSON error when I lifted sails (restarted the server).
Any ideas, workarounds? I'm using sails.js, it wasn't my decision but I'm stuck with it and it comes with i18n-node. It's kind of late in the day on this project to consider using another library, but not completely out of the question.
beside of any upcoming discussion whether to include (html-)code in language files or not:
try to use
<%- __('click') %>
instead of
<%= __('click') %>
in ejs (the sails default template engine) a '<%=' will escape any html tags while '<%-' puts output as is without touching it. I am pretty sure you'll find unescaped html in your .json files. i18n doesn't do any transformation other than JSON.stringify() but almost all template engines do escape strings by default to prevent xssi.
For those using pug/jade, you can use
!{ __('key_for_your_text') }
Another option for pug is using
p!= __('key_for_your_text')

Encode hidden form field value

What method should I use to encode hidden a form field value? Assume that I am storing text like this:
This is a "really" long string with 'quotes' and special characters (~!##$%^&*()_+{}), which might have a random quote (") in the middle of it, making the HTML invalid.
We are using ASP.net to set the value:
<input type="hidden" value="<%= Model.UnencodedTextData %>" name="askingForTrouble" />
I believe if we HTML encoded it, it would solve the problem, but this form will be posted to another application, which we do not have control over. So will the receiving application (Marketo) automatically know how to decode this?
Thank you.
Marketo developer evangelist here. Before posting to Marketo, it is best to use HTML URL encoding for special characters. For example, the JavaScript code sample below would URL encode "&" and "%" characters.
function htmlEscape(str) {
return String(str)
.replace(/&/g, '%26')
.replace(/%/g, '%20');
}

Rails -- Add a line break into a text area

I got a rails app where I can input a few paragraphs of text into my model. The problem is I dont know how to input any line breaks.
I've tried to add " {ln}{/ln} ; {&nbsp} and {br}{/br}" but that only displays the html as text and no break.
Is there anyway I can set it so the text area control will use any of the html I place within the model entry?
Is there any thing I can type so rails will recognize, hey put a line here?
Line breaks in textareas are produced as `\n'. However, the problem is that if you simply dump it into your view, it will just be line breaks in your HTML source.
You can try using the Rails simple_format helper to take care of some of this for you: http://api.rubyonrails.org/classes/ActionView/Helpers/TextHelper.html#M002285
It will auto-convert line breaks to HTML tags. You can use it with something like <%= simple_format(my_text_field) %>.
The problem isn't so much editing the value as it is rendering it later. To add newline characters to your value while editing it in a textarea, just hit the return key. When you re-edit that value later, the whitespace should still be there.
Rendering the whitespace is the tricky part. In HTML, whitespace is generally insignificant. A renderer like the one your browser uses will display a single space for any continuous string of whitespace. So merely dumping the value onto the page won't be enough:
<%= obj.description %>
Even though your value may be "One \t \n \n Two", it will show up on the screen as "One Two".
To get those new line characters to actually separate the lines when displayed, you'll need to convert them to HTML before rendering:
<%= obj.description.gsub(/\n/, '<br/>') %>
Of course, if users are entering data that will be included in your HTML, you should be escaping the values to protect against XSS. If new lines are the only thing you need to support, it should be as simple as this:
<%= h(obj.description).gsub(/\n/, '<br/>') %>
If you want to allow more complex formatting, look into Markdown and Textile (both of which Rails provides helper view methods for). Just be sure to investigate what if any support they provide for XSS prevention.
Keep user input unmodified and add this to your css:
white-space: pre-line;
It will display \r or \n (enter) in user input as a new line.
Here is another way to display the line breaks in a string while still escaping the rest of the text:
<%= safe_join(#object.textarea_input.split("\r\n"), "<br />".html_safe) %>
See here http://code.byteblues.com/2012/03/23/preloading-a-text-input-area-text_area-with-data-that-contains-a-line-break/
<%=raw text_area_tag :keywords, keywords, :rows => 8 %>
the problem with simple_format is that it's also adding other tags like <b><i><hr><h1>...
if you just want line breaks without other tags i suggest you build a partial (lets call it line_break):
<% text.split("\n").each do |t| %>
<%= t %><br>
<% end %>
then, just call it from your view:
<%= render partial: 'line_break', locals: {text: some_text} %>
What version of rails are you using?? Because the way to handle this, is different in rails 2 and 3.
Let's say the value of the record is "foo<br />bar"
In rails 3, if you want to evaluate the html, you could do <%=raw "foo<br />bar" %>, if you do so, you'll get a line break when you will see the view.
In rails 2 you don't have to do that, just do <%= "foo<br />bar" %>
Also, HTML doesn't get evaluated in a textarea anyway.
\n if memory serves (it hasn't been doing so well today... try at your own risk lol)
Edit: making the assumption you were talking about a textarea, if it is simple output, just use <br>
The answers above were good:
the gsub (#Ian) worked well
the simple_format (#Karl) was a bit over the top as #Aaron pointed out, wrapping everything in <p>
So I tweaked as follows:
simple_format(value, {}, wrapper_tag: 'div')
The other answers are wrong. Text area does not render as line breaks, because the innerHTML value of the TEXTAREA element does not render HTML..
You need to add the Line feed HTML entity:
EXAMPLE:
<textarea><%= "LINE 1
LINE 2
LINE 3".html_safe %></textarea>
See also New line in text area - Stack Overflow
If you are simply displaying your string in the view. then try it with
< p >This is my text< / p >< br />