Allow HTML and Deny JavaScript

How to allow the HTML and Deny the JavaScript?

If you use the h tag:

<% for column in Post.content_columns %> <p>   <b><%= column.human_name %>:</b> <br /> <%=h @post.send(column.name) %> </p> <% end %>

You are escaping of HTML and JS tags/commands.

How can I display only the HTML format?

Thank you!

Rick Olson’s White List Helper is the way to go for this. It strips out anything that is not specifically allowed.

Daniel, Sorry but I am starting with rails so I don’t know how to user this helper very well. I already copied the helper file to app/helpers and into my view where I should to use <%=h @posts.content %> i used <%= white_list @ post.content %> and got an error “NoMethodError in Posts#show”. What is wrong?

Thank you!

Did you restart your app? Do you see errors when you start your app preventing the plugin from loading? Are you on a recent version of rails?

Yes. I just want to know how to install that.

I installed the plugin using $ ruby script/plugin install "svn link"

And I just replace the tag h() for white_list, like i already said.

And I am getting this error:

NoMethodError in Posts#show

Showing app/views/posts/show.rhtml where line #4 raised:

undefined method `white_list' for #<#<Class:0xb708c5fc>:0xb708c5d4>

Extracted source (around line #4):

1: <span class="titletext"><%=h @post.name %></span> 2: <br /> 3: <br /> 4: <%= white_list @post.content %> 5: 6: <p> 7: <b> Created at: </b>

That's all you need. So again:

Did you restart your app? Do you see errors when you start your app preventing the plugin from loading? Are you on a recent version of rails?

Now it is working. I restarted my app. >.< Thank you Rick!