Now i ran into some stupid situation. I want the users to be able to use textile, but they shouldn't mess around with my valid HTML around their entry. So I have to escape the HTML somehow.
html_escape(textilize("</body>Foo")) would break textile while
textilize(html_escape("</body>Foo")) would work, but breaks various Textile features like links (written like "Linkname":http://www.wheretogo.com/), since the quotes would be transformed into " and thus not detected by textile anymore.
sanitize doesn't do a better job.
Any suggestions on that one? I would prefer not to use Tidy for this problem. Thanks in advance.
For those who run into the same problem: If you are using the RedCloth gem you can just define your own method (in one of your helpers).
def safe_textilize( s )
if s && s.respond_to?(:to_s)
doc = RedCloth.new( s.to_s )
doc.filter_html = true
doc.to_html
end
end
Excerpt from the Documentation:
Accessors for setting security restrictions.
This is a nice thing if you‘re using RedCloth for formatting in public places (e.g. Wikis) where you don‘t want users to abuse HTML for bad things.
If
filter_htmlis set, HTML which wasn‘t created by the Textile processor will be escaped. Alternatively, ifsanitize_htmlis set, HTML can pass through the Textile processor but unauthorized tags and attributes will be removed.