Comments (9)
Truly sorry for this late reply! It's probably too late, but I didn't want to just close the issue.
RedCloth has very limited configurability. It supports the flags described in the docs and that's pretty much it.
If this is non-user input you could try the :safe flag, which marks the input as safe and thus skips escaping all together. Use with caution.
Again, truly sorry.
from formatize.
Thanks so much for looking into this. I know the maintainer of Redcloth, I'll see if I can pester him at the next Philly.rb meeting and get some HTML5 love happening. I didn't realize you were using Redcloth internally.
Walter
from formatize.
Jason posted to twitter the following links:
https://t.co/XZ4bqEoT to fix this in the Redcloth 4 branch
https://t.co/DTLlwa1D to fix it in Redcloth-parslet, which will become Redcloth 5 as soon as it's baked.
from formatize.
As I understand it, there are two options until RedCloth 5 is released:
- Add HTML5 tags to
BASIC_TAGS
. - Use
clean_html
prior to parsing, overriding the defaultallowed_tags
argument. Then pass the:safe
flag to RedCloth, to avoid re-escaping.
Right?
from formatize.
That sounds plausible. I hadn't thought of the second of these, it sounds even nicer than monkey-patching the BASIC_TAGS constant. Jason has opened a ticket to make this even easier going forward. Follow Lighthouse ticket http://jgarber.lighthouseapp.com/projects/13054-redcloth/tickets/244-allow-customizing-sanitization-whitelist-without-a-monkey-patch for updates...
Walter
On Feb 29, 2012, at 1:16 PM, David Trasbo wrote:
As I understand it, there are two options until RedCloth 5 is released:
- Add HTML5 tags to
BASIC_TAGS
.- Use
clean_html
prior to parsing, overriding the defaultallowed_tags
argument. Then pass the:safe
flag to RedCloth, to avoid re-escaping.Right?
Reply to this email directly or view it on GitHub:
#5 (comment)
from formatize.
Good!
textilize
actually uses the sanitize
helper from Rails unless you pass the :safe
option, which RedCloth doesn't understand. The default behavior of RedCloth is to let everything slip through, but the used-to-be Rails helper toggles that behavior.
The point is, even if we do patch RedCloth to allow HTML5 it won't take effect unless the :safe
option is passed to textilize
to bypass Rails' sanitization.
The Rails sanitizer seems more extensive to me, so a better solution could be to configure sanitize
to allow HTML5 tags, as described in its docs.
from formatize.
I can't seem to find a definitive list of the whitelisted elements in the docs. Considering the scaffold generator uses HTML5, it would be odd if those elements weren't on the list.
Walter
On Feb 29, 2012, at 1:50 PM, David Trasbo wrote:
Good!
textilize
actually uses thesanitize
helper from Rails unless you pass the:safe
option, which RedCloth doesn't understand. The default behavior of RedCloth is to let everything slip through, but the used-to-be Rails helper toggles that behavior.The point is, even if we do patch RedCloth to allow HTML5 it won't take effect unless the
:safe
option is passed totextilize
to bypass Rails' sanitization.The Rails sanitizer seems more extensive to me, so a better solution could be to configure
sanitize
to allow HTML5 tags, as described in its docs.
Reply to this email directly or view it on GitHub:
#5 (comment)
from formatize.
Demonstrating in the console that HTML5 is escaped:
helper.sanitize('<article></article>')
=> ""
from formatize.
I chose to add a note regarding customization of sanitize
to the readme.
Closing this for now.
from formatize.
Related Issues (8)
- html_safe being called when it shouldn't HOT 1
- Rails 3.0.0.rc HOT 1
- Rails 3.0.0.rc2 HOT 2
- textilize_without_paragraph escaping text HOT 8
- Markdown does not recognized mixed list when using an unordered list under an ordered list HOT 1
- Markdown doesn't pass options that Bluecloth respects HOT 2
- ABANDONED
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from formatize.