I have a system for the users to be able to post comments.
The comments are grasped into a textarea.
My problem is to format the comments with br tag to replace \n
In fact, i could do something like that
s.gsub(/\n/, '<br />')
But the xss protection including in rails escapes br tags.
So i could do this
s.gsub(/\n/, '<br />').html_safe
But then, all the tags are accepted even script.... causing a big security problem
So my question is : how to format text with br safely ?
Thanks
EDIT: For now, i have add this
def sanitaze
self.gsub(/(<.*?>)/, '')
end
def nl2br
self.sanitaze.gsub(/\n/, '<br />').html_safe
end
As Ryan Bigg suggested simple_format
is the best tool for the job: it's 'l safe' and much neater than other solutions.
so for @var:
<%= simple_format(@var) %>
If you need to sanitize the text to get rid of HTML tags, you should do this before passing it to simple_format
http://api.rubyonrails.org/classes/ActionView/Helpers/TextHelper.html#method-i-simple_format
The best way I can figure to go about this is using the sanitize method to strip all but the BR tag we want.
Assume that we have @var
with the content "some\ntext"
:
Trying <%= @var.gsub(/\n/, '<br />') %>
doesn't work.
Trying <%= h @var.gsub(/\n/, '<br />').html_safe %>
doesn't work and is unsafe.
Trying <%= sanitize(@var.gsub(/\n/, '<br />'), :tags => %w(br) %>
WORKS.
I haven't tested this very well, but it allows the BR tag to work, and replaced a dummy script alert I added with white space, so it seems to be doing its job. If anyone else has an idea or can say if this is a safe solution, please do.
Update:
Another idea suggested by Jose Valim:
<%= h(@var).gsub(/\n/, '<br />') %>
Works
Here's what I did:
module ApplicationHelper
def nl2br s
sanitize(s, tags: []).gsub(/\n/, '<br>').html_safe
end
end
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With