Closed ToluB closed 12 years ago
spohlenz
commented
12 years ago Rails will automatically escape HTML to prevent XSS attacks, so you'll need to output the raw HTML:
<%=raw @post.content %>It sounds like you might be accepting posts from untrusted users so I'd recommend looking into the sanitize helper as well.
ToluB
commented
12 years ago Adding raw didn't work. I will look into santize, but the app is still in early production so I am the only one using it.
Thanks
spohlenz
commented
12 years ago Can you see how the HTML is being stored in the database? If the P tags appear encoded with > and < then it could be a TinyMCE-related issue. However if it is stored in the DB as
Your content
, then using the correct output helpers should help. Maybe try<%= @post.content.html_safe %>. ToluB
commented
12 years ago Thanks for the help Sam. Really appreciate it.
The HTML is being stored as
My content
so I will try out some output helpers.I just noticed in the console I am getting an error "Uncaught TypeError: undefined is not a function" with relation to tiny mce src.js:13117. This suggests that maybe I don't have the proper Javascript code, though I downloaded the gem and added the //=require tinymce. Any ideas what the issue could be?
Thanks!
spohlenz
commented
12 years ago Can you post your tinymce.yml (if you are using one) and the code you are using to initialize TinyMCE? My best bet is that you are trying to load a theme that does not exist.
ToluB
commented
12 years ago My tinymce.yml theme_advanced_toolbar_location: top theme_advanced_toolbar_align: left theme_advanced_statusbar_location: bottom theme_advanced_buttons3_add:
Inside application.js //= require tinymce //= require tinymce-jquery
Top of the form page: <%= tinymce_assets %> <%= tinymce %>
Within the form:
<%= f.text_area :content, :class=> "tinymce", :size =>'10x10',placeholder: "Credits for your thoughts?" %>
Thanks.
spohlenz
commented
12 years ago Try removing those lines from your application.js. You need only one of these three to include the assets:
//= require tinymce//= require tinymce-jquery<%= tinymce_assets %>ToluB
commented
12 years ago Thanks for the tip.
Still seeing markup rather than formatting, but the javascript error no longer exists.
From inspecting the code in the console it seems as if it should be working properly. I will try the helpers and see if some of my other code may be interfering
ToluB
commented
12 years ago Ha!
It appears I used the "raw" helper incorrectly the first time. It is now working. I will make sure I look into the sanitize method to assure there is no resulting security hole.
Issue closed. Thank you sir!
premcspc
commented
11 years ago Hello Sir, I have the similar issue. I had tried all the fixes mentioned above but all attempts failed and its still displaying the markup
My rails version is 3.2.13
My tinymce.yml: theme_advanced_toolbar_location: top theme_advanced_toolbar_align: left theme_advanced_statusbar_location: bottom theme_advanced_buttons3_add:
Inside my Application.js: //= require jquery //= require jquery_ujs //= require tinymce //= require modern/theme.min
My view:
<div class="field">
<%= f.label :content %><br />
<%=raw f.text_area :content, :class => "tinymce", :size => "10x10", :id => "myeditorid" %>
<%= tinymce :theme => "modern", :selector => "textarea", :mode => "textareas", :plugins => ["advlist", "anchor", "autolink", "paste", "textcolor"], :image_advtab => true, :apply_source_formatting => true, :schema => "html5" %>
</div>
<div class="field">
<%= f.label :date %><br />
<%= f.datetime_select :date %>
</div>
<div class="actions">
<%= f.submit %>
</div>When i submit the form my output is:
<h1>Welcome to the TinyMCE editor demo!</h1>
<p>Feel free to try out the different features that are provided, please note that the MCImageManager and MCFileManager specific functionality is part of our commercial offering. The demo is to show the integration.
</p>
<p>We really recommend <a href="http://www.getfirefox.com" target="_blank">Firefox</a> as the primary browser for the best editing experience, but of course, TinyMCE is <a href="../wiki.php/Browser_compatiblity" target="_blank">compatible</a> with all major browsers.</p>Sir, I don't know where i'm going wrong, Please help me with what has to be done to fix it.
spohlenz
commented
11 years ago @premcspc:
1) The raw helper call should be on the line where you render the output, not on the text_area tag line. 2) Check your Rails logs to see what is actually getting submitted and written to the database. 3) If that doesn't help, post the view where you are outputting the result.
premcspc
commented
11 years ago @spohlenz:
It works. Thanks a lot sir.
scratchoo
commented
10 years ago Hi @spohlenz, you recommend using raw helper in the output content, but documentation about "raw" says
This is not recommended if the data is coming from the user’s input.
For example:
<%=raw @user.name %> my question is, it is safe to let user updating or create content using tiny mce ?
i also posted this question in stackoverflow : http://stackoverflow.com/questions/19773837/is-it-safe-to-permit-user-add-content-using-tiny-mce/19774383?noredirect=1#19774383
thank you.
spohlenz
commented
10 years ago @medBouzid If your are accepting HTML content from ordinary users (as opposed to say trusted admins), you'll definitely want to look into something like Rails' sanitize helper, as mentioned above, since you'll leave yourself open to XSS attacks otherwise.
scratchoo
commented
10 years ago @spohlenz thank you for the quick answer, ok i will look at sanitize helper and see the result :)
Hello,
I am working on a forum app. I installed the tinymce rails gem, initialized it, and inserted it into a text area within a form. Unfortunately when I make a post the markup gets posted instead of the formatted text (e.g. it always shows
"Something I've typed
instead of just showing "Something I've typed" formatted as a paragraph.I've required tinyme in my javascripts and instantiated on both the form submit and display changes.
Any hints as to what I might be doing wrong would be appreciated.
Thanks!