Rails DON'T sanitize

894 views Asked by At

I am making a web app that integrates the Ace online IDE. A user enters an input through the Ace IDE which is then stored in a database. But when that is then rendered from the database Rails has done some sort of sanitization and the HTML tags are not loaded.

How do I explicitly tell Rails to leave all HTML tags in the tags and not format it (includes tabs and spaces)?

EDIT:

This is what the user inputs:

enter image description here

And this is what it outputs:

enter image description here

3

There are 3 answers

2
Tim On BEST ANSWER

Turns out it was because I was using simple_format() when I removed that and just simply called <%= @lesson.lesson_content %> it rendered perfectly.

0
masukomi On

you have to append .html_safe to any string you're returning to the view. By default Rails doesn't trust anything the user might have created.

So

 <%= @my_source_code_from_the_db %>

Becomes

<%= @my_source_code_from_the_db.html_safe %>

As @Sam_D mentioned, another option is to wrap your string in a call to raw:

<%= raw(@my_source_code_from_the_db) %>
0
Sam On

Try the raw method. This method outputs without escaping a string