Phoneix HTML safe in template

Hi there,

I’m trying to implement some JS WYSIWYG editor, but getting stuck on HTML safe output. How I can render HTML on the template? In django, I use something like this :

{{ post.content|safe }}

Any help would be greatly appreciated! :smiley:
Thank you in advance

What have you tried so far and what did happen?

Have you already seen Phoenix.HTML, especially raw/1 might help you, as I do understand your question.

2 Likes

Thanks @NobbZ ! raw seems the answer :smiley:

Well, I’m just trying WYSIWYG editor to render HTML format on template. When I try something like this :

bold text

The output is :

<b>bold text</b>

Anyway, I’m trying this :

<%= content_tag :p, post.body %>

But it doesn’t work.

Instead of using Phoenix.HTML.raw/1 directly, I’d suggest to sanitize output of your WYSIWYG to a subset of trusted HTML just to avoid that someones injects bad stuff via a direct POST/PUT before applying raw.

Mm… I’m sorry, but I don’t quite understand. Can you please give me an example code how to do that? Or any reference/tutorial?

I’m not from rails/ruby background, so this templating engine still unfamiliar to me :sweat:

Thank you very much @NobbZ :slight_smile:

Even if you do not have a background on RoR, sanitizing is not specific to them. One shozuld do it in the django world as well.

Since I do not have any phoenix related project at hands, I can’t give you any code or examples, but only try to guide you.

First: To actually sanitize, I do leave you to implement such a function on your own, which removes harmfull stuff (like script-tags) or just escapes such occurences of tags into &gt; and &lt;. Depending on your requirements you need to totally decide on your own, which subset of HTML you want to allow and which not.

Now we need to know, if you want to store the input you got somewhere or just use it for a onetime rendering.

If it is the first, you might need to extend your sanitizer a bit to remove injections. You should run the sanitizer then before actually inserting into database. If your application is the sole individuum writing to the database, you can consider anything read from there as safe and use raw/1 in the view to remove clutter in the template. If there are other programs and people that have write access to the database, do not trust them and do at least a verification of safety before “rawifying”.

If it is a onetime rendering it should be sufficient to just sanitize, display and forget.

1 Like

Not always enough sadly. What should be done is to scan for explicitly what you want to support, convert it into little eex template chunks or so (or create the :safe tagged iolists manually), and anything that does not explicitly match pass it through so it will be converted by phoenix for you.

1 Like

hi @NobbZ, really appreciate the answer. Still googling for more detailed material…

Is there any easy way how to do this? I’m creating a simple blog with WYSIWYG editor, just to see how I can be productive with phoenix as soon as possible :sweat_smile:

In django, I just ran into this docs : https://docs.djangoproject.com/en/1.10/ref/templates/builtins/

Maybe there’s something similar in phoenix?

Thank you in advance

If we are ignoring sanitizing the markup – maybe it’s from a trusted source, i.e. you, then raw is the answer said above:

<p><%= raw post.body %></p>
4 Likes

Wow, the creator himself, such an honor :slight_smile:

Yes, actually that’s what I’m looking for. Still learning phoenix, really great framework!

Thank you @chrismccord

3 Likes