Rails render raw html but escape javascript? - html

So I have some user generated content areas of my site. I want them to be able to use html for markup purposes, but I don't want them to be able to execute any arbitrary javascript.
From my understanding raw() will just output everything, html, javascript, and all right into the webpage.
Is there a method that will allow raw rendering of html but not allow rendering of javascript?

Have a look at sanitize.

Related

Beautify django form html

The form.as_ul shortcut works completely fine but the html isn't formatted. The only solution I found was to include a middleware which beautifies the complete html but I only want to do that for the form part. Is there a other way than write my own form template?
If you are talking about the formatting of the HTML code itself, consider not worrying about it.
In most cases the formatting of your HTML code is unimportant. It gets consumed by a browser and rendered for users. It is that rendered output that is important.
(Just for fun, load up your local Google search page and have a look at its source. It's definitely not optimized for people to read.)
In case you do want to format your HTML in a particular way you can always render fields manually.

Encapsulate the rendering of HTML

Can someone explain me what it means when they say:
"HTML Helpers enables to encapsulate the rendering of HTML"
Does it mean it will restrict access to the HTML attributes of an object? What if I am using CSS, jquery, Javascript, will it display my JS/jquery and CSS in page source?
HTML helpers are bits of code that will render out the HTML, instead of you writing out the HTML for each and every piece of data directly in the view.
They encapsulate it - meaning they take care of what HTML is output.
By "encapsulating the rendering", they are referring to the encapsulation of the functionality of rendering html.
If there is a common piece of html you render often, (the rails form helpers for example), if you insert the code (or the code building functionality within a helper), each time you need to render that html (or a variant of it) , you merely call the helper method thereby keeping your code "dry" (html code in this case)

What can possibly go wrong with my site with my super simple HTML minification regex?

The current HTML pages being rendered have a lot of whitespace. Minifying the HTML before sending it saves me about 25% in file size. I minify the text using these regexs (in Python):
def minify_html(text):
text = re.sub(r'>\s+<', '><', text).strip()
return re.sub(r'\s+', ' ', text)
I do not support <pre> and <code> tags on my site, but what would happened if I did via Markdown? My CSS is formatted accordingly (for inline lists for example). I only have very simple inline javascript such as Google Analytics or calling functions in an external file. This regex doesn't seem to slow down page renderings unlike other HTML minification libraries.
What issues could I come across?
Also,
This is <em>an</em> <strong>example</strong>
Is very different from
This is <em>an</em><strong>example</strong>
But your regexp will convert the former to the latter.
I'm using this HTML/HTML5 compressor I wrote in production. Feel free to adapt it to your own needs.
Also: If you don't pass conservative=True, it'll be fairly radical in its compression.
Depends on your page, but what could go wrong:
PRE tag contents formatting
JavaScript strings (this doesn't seem to be your
concern, though)

How to style XML displayed in HTML?

I'd like to display XML pulled from a database on a website. I'd like to be able to style how it is displayed (such as different colors for string value, attributes, elements,..).
How would you do this? Can you use CSS? Thanks!
EDIT: I mean display the XML as XML editor would, sorry for the confusion!
Have a look at XSL/XSLT.
(I'm interpreting your question to be about displaying the XML content as XML, but with pretty syntax highlighting, as you would get with an XML editor for example.)
I'd recommend xmlverbatim via an XSLT transform (either server-side or via JavaScript). You can change its indent-elements parameter to control whether you want it to indent the XML.
For the XSLT transform on the client side, xslt.js (possibly in conjunction with jQuery) should help.

Is there an html command to bypass an html filter?

I am trying to add an html link to a website but the website strips out the html:
When I view the source I get this:
<a href = "http://www.soandso.com">http://www.soandso.com/</a>
instead of what I actually want which is this:
www.soandso.com
Is there an html command to bypass the filter?
Almost certainly not.
Most sites quite rightly don't just let users inject arbitrary HTML. That's the source of XSS (cross site scripting) vulnerabilities.
If the site strips (or escapes) tags, just put in www.example.com and that will have to do.
No. The filters are there for a reason; to prevent you from adding your own HTML to the website. There is no standard for how the filters work, but they will generally either escape all HTML that isn't allowed, or strip out HTML that isn't allowed. There is no general purpose way to get around the filter.
First check if the site uses any sort of special markup. For instance, Stack Overflow supports a variation of Markdown. Other sites support Textile, or BBCode. If that is the case, check the associated reference on how to include a link. If none of those are the case, then just use the URL without the <a> element wrapper.