5.11. Adding Support for Textile

Despite having separate paragraphs in the text area for the body attribute as shown in Figure 5-17, these newlines (that is, ) are not rendered as line breaks or new paragraphs when the template is rendered in HTML.

You could use the helper simple_format, which appends a linebreak (that is, <br />) to each newline. When two consecutive newlines are found, the text before them, and the text after them, is wrapped in two separated pairs of paragraph tags. This fixes the "wall of text" issue, but you'd still be left with the issue of safely allowing innocuous HTML tags.

Figure 5.17. Figure 5-17

The helper method santize does exactly that. It strips all the attributes that aren't explicitly allowed, while encoding the ones that are permitted. The method accepts two arguments, the HTML text that needs to be "sanitized," and a hash of options. santize can be considered as a more advanced replacement of h. If you were to adopt this strategy, simple_format and sanitize could be used together to obtain paragraph separation from newlines first, and then strip all the non-allowed tags and attributes. This approach would work but would require the blog's author to manually insert HTML.

It is customary for blog engines to provide a friendly markup language like Textile or Markdown, instead of requiring HTML code to be written. Assume that in your blog you'll opt for Textile, which is a very readable and easy to remember markup language.

A textile reference is available online at http://hobix.com/textile. For converting Markdown, you can use the BlueCloth plugin instead.

The user will insert textile text, which will be stored in the database. The only conversion required is in the view layer, where you want to transform the retrieved body attribute in textile format into HTML that can be rendered by any browser.

Ruby offers a library called RedCloth that is able to perform this conversion for you. As long as the RedCloth gem is installed, Rails' helper method textilize can be used. The first thing you'll need to do is add a requirement for the RedCloth gem in configenvironment.rb, as follows:

Rails::Initializer.run do |config|
  # ...
  # ...
  config.gem "RedCloth", :version => ">= 3.301", :source => "http://
code.whytheluckystiff.net"
  # ...
  # ...
end

As you can see, this specifies that the application depends on the RedCloth gem, that the version installed should be 3.301 or greater, and that it should be fetched directly from the website of the developer. This third option is not strictly required, but for this particular gem it is highly recommended, given that the gem that's available from RubyForge is not the most up-to-date one and an important release (nicknamed Super RedCloth) was recently put out by the developer on his own repository.

Once you have added this config.gem line, save the file and run the rake gems:install task to install the required gem as follows:

C:projectslog> rake gems:install
(in C:/projects/blog)
gem.bat install RedCloth  --version ">= 3.301"  --source http://code.whytheluckyst
iff.net
Successfully installed RedCloth-3.301-x86-mswin32
1 gem installed

Now you need to employ the textilize helper provided by Rails into the templates for the index and show actions.

You could also use RedCloth.new(text).to_html where text is the textile text that needs to be converted.

This is easily done by replacing the following snippet in index.html.erb:

<div class="entry">
<%=h article.body %>
</div>

with:

<div class="entry">
<%= textilize(article.body) %>
</div>

And similarly, replace the following in show.html.erb:

<div class="entry">
<%=h @article.body %>
</div>

with:

<div class="entry">
<%= textilize(@article.body) %>
</div>

This will convert the textile markup into HTML code.

Regarding the Security of textilize

The textilize helper doesn't sanitize the text passed to it, and as such is susceptible to cross-site scripting (XSS) attacks. If the input is coming from the end user, such as in the case of a comment, the output of the textilize method needs to be explicitly sanitized using the santize method or another white listing filter.

In this specific case, as mentioned before, you are the only one who will have access to the form for entering and editing articles (once the app has authentication in place), so it is not strictly necessary to sanitize your own input. Things would be very different for forms that accept textile comments from visitors. Chapter 11 has more security considerations.


Restart Mongrel, and load http://localhost:3000 into your browser. This time around, you should be able to see that textilize has converted each chunk of text into a paragraph of its own.

Now create a new article by employing a bit more textile markup. Use the following text for the body:

Hi there!

If you don't know what %{color:red}Rails% is, you can read more about it on the
"official website":http://rubyonrails.org and then buy Antonio Cangiano's book.
It's *highly recommended*. ;-)

By the way, did you know that Ruby on Rails(TM) is a trademark of "David Heinemeier
Hansson":http://loudthinking.com?

This will be converted into the following HTML code by the textilize helper:

<p>Hi there!</p>
<p>If you don't know what <span style="color:red;">Rails</span> is, you can
read more about it on the <a href="http://rubyonrails.org">official website</a>
and then buy Antonio Cangiano's book. It's <strong>highly recommended</
strong>. ;-)</p>

<p>By the way, did you know that Ruby on Rails (TM) is a trademark of <a
href="http://loudthinking.com">David Heinemeier Hansson</a>?</p>

The rendered page for the show action is shown in Figure 5-18.

Figure 5.18. Figure 5-18

Another easy way to handle textile in Rails is to use the acts_as_textiled plugin.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.135.204.0