Redactor AJAX call

[ghost]

Redactor works normally on most of my site. However, it doesn't appear at all when I call it via AJAX. For instance, I have an edit button that replaces the relevant text with a text area. Edit.js.erb looks like this:

$("#lightbox-impression").html("<%= escape_javascript(render 'impression_form') %>")

And _impression_form.html.erb looks like this:

<%= form_for @impression, :remote => true do |f| %>
    <%= f.text_area :content, :class => "redactor" %>
    <%= f.submit 'Submit' %>
<% end %>

Any idea why Redactor doesn't show up here?

[thebrokencube]

So this may not apply in this case, but the issue may have something to do with how event binding works. When you have an event binding, it applies to the elements that exist at the time, and thus elements that are added after the script has run initially aren't binded to the event. Things in jQuery like .live() (or i guess now it's .on()) fix this issue.

Hope that helps in some regards.

[ghost]

This could really work to my advantage, as I was hoping to trigger the editor window on focus. Do you have any idea what I should bind to my textarea, though? Is there a simple a Redactor method, like:

$("#impression_content").on("focus", redactornate());

[ghost]

I'm able to get this working by using the redactor() function:

$("#impression_content").redactor();

The only problem is that any formatting the user does is treated as html-unsafe, resulting in visible and tags. I'm assuming this isn't normal? Is there a better way to append redactor to a text area?

[thebrokencube]

Are you talking about when you want to display it? If so, when displaying it you can use .html_safe if you want to allow the formatting, and .sanitize if you don't. I'm sure there are other solutions too, but that's what I've been doing in the project I'm working on when displaying. Hope I understood that correctly.

[ghost]

Using .html_safe does work, but it leaves the site vulnerable to XSS attacks. I'd assumed that Redactor accounted for this somehow, but perhaps not. For instance, a user can insert Javascript into an href link, result in something like this:

A bad <a href="javascript: alert('Your site is vulnerable!')">link</a>.

UPDATE: After doing a little more research, it looks like what I'm asking for is impossible--or at the very least, ineffective. This Stackoverflow discussion points out that you cannot control for XSS on the client-side. Instead, you can use Rails' built-in sanitize method within the view:

<%= sanitize @article.body %>