search

bernat / best_in_place

A RESTful unobtrusive jQuery Inplace-Editor and a helper as a Rails Gem
http://blog.bernatfarrero.com/in-place-editing-with-javascript-jquery-and-rails-3/
1.2k stars 570 forks source link

html doesn't get rendered correct #605

Closed glauni closed 6 years ago

glauni commented 6 years ago

Hey,

I am struggeling right now with some sanitizing misbehaviours.

I am using the following code in my view:

    <div class="col-12 col-md-8">
        <% if current_user == @post.user || current_user.try(:admin?) %>
            <%=best_in_place @post, :body, :as => :textarea, inner_class: 'form-control', ok_button: 'update', ok_button_class: 'btn btn-outline-success btn-sm'%>
        <% else %>
            <p class="postbody"><%= sanitize @post.body %></p>
        <% end %>
        <div class="py-3">

Input text:

Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua.

Expected: code block doesn't seem to accept bold text

Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua.

Behavior

Lorem <b> ipsum </b> dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua.

If I am logged out my post.body gets sanitized. However, if I am logged in the text accepts html tags. In the documentation it says sanitize is set to true by default. I tried sanitize: true as well as sanitize: false, still doesn't work.

Does anyone know why it behaves like this?

Best regards

casper commented 6 years ago

This issue may help you:
https://github.com/bernat/best_in_place/issues/520

glauni commented 6 years ago

Problem solved trough #520