Posting Rails code in text areas - html

Is there a way in Rails to escape code inserted in a textarea? If I post rails code at this point, there are some symbols that conflict with html (<< for instance) that don't render. Any thoughts on how to avoid this? In fact in some things I test, I make a post and it doesn't show up at all when I try to render it. I assume this is because of some conflict with the code I am posting.

You can possibly call a javascript function on window.onload/$(document).ready, that will remmove the html specific special character

Related

Generating a link to a controller action in Play Framework 2.3

I'm working on a Play application and need to generate links in a mixed Scala-HTML view that call controller actions. I found this question from a couple years ago that's similar to my situation, but the provided answers don't work for me.
The elements are generated in a loop so I can't manually insert the argument to the controller action, but nothing I've tried has worked. This is the line I have now:
ID: #{var fhirID = <processing for ID>; <a href='#routes.Users.fhirUserDetails(fhirID)'>fhirID</a>}
The accepted answer to the question I linked earlier effectively uses this structure too:
<a href='#routes.Application.show("some")'>My link with some string</a>
My issue here is twofold:
1) How can I have the variable fhirID passed to the controller action? My generated link simply has the text "fhirID" instead of what's generated by the first part of the statement.
2) Is the #routes.Users syntax correct? When I click the generated link, it literally attempts to render a page at /myapp/#routes.Users.fhirUserDetails(fhirID)
I realize I'm probably missing something very basic here- thanks for any advice!
The problem seems to be not the #routes syntax (which you have completely correct) but rather a case of the Twirl engine not seeing where code ends and HTML begins (or something like that anyway...)
The line you've included, which has both a var and a semicolon, made me suspect this, and I've been able to reproduce the problem when I use that style.
My recommendation is to use the #defining helper rather than var to get a scoped variable for use in your links, as follows:
ID: #defining(<processing for ID>) { fhirID =>
<a href='#routes.Users.fhirUserDetails(fhirID)'>fhirID</a>
}
You can nest #defining blocks as deeply as you like if necessary, although it's probably better to make a call out to a reusable block if there's a lot of logic. I think this style makes for more-readable templates and also somehow looks more like "real Scala" :-)

Curly brackets in HTML

I stumbled upon this code:
<a href="#" class="text1"{text2}>...</a>
What does the {text2} do? Later on, this HTML is replaced with:
<a href="#" class="text1" {text2} style>...</a>
Is there a way I can retrieve the text2 value with jQuery?
In some cases that code is input in, so scripts can actually easily identify a the line. Or in some cases can be an indicator for a database to retrieve and store data once it has been pulled.
Or it could be invalid markup, doubtful if the person knows what they are doing.
But without any other information or variables it is hard to say. But the most common is access for scripts within Php, Javascript, and even C#. Cause they can parse the HTML document and manipulate it. If those braces are used, and it is incorrectly it will cause a parse error.
Hopefully that sort of clarifies it.
Update:
Yes, jQuery can find it. It is a form of Javascript. You could implement something such as:
$(function() {
var foundString = $('*:contains("{text1}")');
});
There is a vast amount of data that addresses this for more detail.
It does nothing in HTML. It's actually invalid markup. Looks like maybe you have a template system that finds and replaces that before it gets rendered to the browser.
I know that in jinja2, a python templating system, brackets contain commands to the template engine, either as:
Hello, {{varName}}
or:
<ol>
{%for l in varList%}
<li>{{l}}</li>
{%endfor%}
</ol>
That's in jinja, but jinja has similar syntax to django templates, and many other template engines probably copy django's syntax also.
its used in angular js and are called expressions {{expression}}
AngularJS is a JavaScript framework. It can be added to an HTML page with a tag.
AngularJS extends HTML attributes with Directives, and binds data to HTML with Expressions.

How to store html characters in mysql and display them correctly

Not sure if I am asking this correctly. But I am using a Jquery HTML Editor cleditor so that the users can load html text. When I insert this into my db(mysql) and want to display the outcome it takes out any html characters it had like: <p>, <span>, and so on. So when I go view it, it shows like this:
class=\"noticia_texto\">jlasdfklsfklaf
which obviously it's not readable. Help please? Should I be using anything at the time of inserting or displaying or both? Also my datatype is set to Blob.
MySQL does NOT strip html tags. If they're being removed upon insertion (or retrieval), then it's something in your code doing it, not MySQL.
Given that the quotes in your snippet are escaped, you've almost certainly got magic_quotes enabled, and/or a home-brew SQL escaping function run amok.

How to sanitize user generated html code in ruby on rails

I am storing user generated html code in the database, but some of the codes are broken (without end tags), so when this code will mess up the whole render of the page.
How could I prevent this sort of behaviour with ruby on rails.
Thanks
It's not too hard to do this with a proper HTML parser like Nokogiri which can perform clean-up as part of the processing method:
bad_html = '<div><p><strong>bad</p>'
puts Nokogiri.fragment(bad_html).to_s
# <div><p><strong>bad</strong></p></div>
Once parsed properly, you should have fully balanced tags.
My google-fu reveals surprisingly few hits, but here is the top one :)
Valid Well-formed HTML
Try using the h() escape function in your erb templates to sanitize. That should do the trick
Check out Loofah, an HTML sanitization library based on Nokogiri. This will also remove potentially unsafe HTML that could inject malicious script or embed objects on the page. You should also scrub out style blocks, which might mess up the markup on the page.

Perl AJAX stripping html characters out of string?

I have a Perl program that is reading html tags from a text file. (im pretty sure this is working because when i run the perl program on the command line it prints out the HTML like it should be.)
I then pass that "html" to the web page as the return to an ajax request. I then use innerHTML to stick that string into a div.
Heres the problem:
all the text information is getting to where it needs to be. but the "<" ">" and "/" are getting stripped.
any one know the answer to this?
The question is a bit unclear to me without some code and data examples, but if it is what it vaguely sounds like, you may need to HTML-encode your text (e.g. using HTML::Entities).
I'm kind of surprized that's an issue with inserting into innerHTML, but without specific example, that's the first thing which comes to mind
There could be a mod on the server that is removing special characters. Are you running Apache? (I doubt this is what's happening).
If something is being stripped on the client-side, it is most likely in the response handler portion of the AJAX call. Show your code where you stick the string in the div.