How to render user inputted html safely with phoenix

Hi everybody!

I have a description field of a Project schema which I plan to edit with
a wysiwyg editor, so I wanted to save the string as html. I want to show the description html in the Project page by using the Phoenix raw function but I’m not sure if this is safe, especially as users would be able to edit their projects.

How can I make sure the html I render is safe?
If you know where I can learn more on sanitizing with phoenix it’d be of great help

Does the string have to be HTML? Can your WYSIWYG be a Markdown editor? If so, you can store the description as Markdown and parse it using something like Earmark.

If not, this might be helpful: https://github.com/rrrene/html_sanitize_ex

3 Likes

No it doesn’t have to be in html, it just was the first thing that came to mind, now I’m wondering if I should use markdown instead :sweat_smile:

You could use both (kind of like how this editor works) and use the markdown_html/1 function in the HTML Sanitizer package.

1 Like

I would like to be able to use both for another case where people can make posts, but that’s future me’s problem

Thank you for your help @seanmor5

It is a common idiom to store user input in the input markup language and also store a prerendered version in the database.

You can render those into your response using Phoenix.HTML.raw/1

1 Like

What do you mean with a prerendered version? A version of the input who has been sanitized?

Well, some editors spit out markdown, others restructured text, some plain HTML. For those that don’t give you the HTML, you need to render the source into HTML.

Rendering it each time the contents is requested might hurt server performance, therefore prerendered version is often cached in the database.

4 Likes

Oh I get it now, I’ll save it pre-rendered then :smiley: