I’m trying to implement some JS WYSIWYG editor, but getting stuck on HTML safe output. How I can render HTML on the template? In django, I use something like this :
{{ post.content|safe }}
Any help would be greatly appreciated!
Thank you in advance
Instead of using Phoenix.HTML.raw/1 directly, I’d suggest to sanitize output of your WYSIWYG to a subset of trusted HTML just to avoid that someones injects bad stuff via a direct POST/PUT before applying raw.
Even if you do not have a background on RoR, sanitizing is not specific to them. One shozuld do it in the django world as well.
Since I do not have any phoenix related project at hands, I can’t give you any code or examples, but only try to guide you.
First: To actually sanitize, I do leave you to implement such a function on your own, which removes harmfull stuff (like script-tags) or just escapes such occurences of tags into > and <. Depending on your requirements you need to totally decide on your own, which subset of HTML you want to allow and which not.
Now we need to know, if you want to store the input you got somewhere or just use it for a onetime rendering.
If it is the first, you might need to extend your sanitizer a bit to remove injections. You should run the sanitizer then before actually inserting into database. If your application is the sole individuum writing to the database, you can consider anything read from there as safe and use raw/1 in the view to remove clutter in the template. If there are other programs and people that have write access to the database, do not trust them and do at least a verification of safety before “rawifying”.
If it is a onetime rendering it should be sufficient to just sanitize, display and forget.
Not always enough sadly. What should be done is to scan for explicitly what you want to support, convert it into little eex template chunks or so (or create the :safe tagged iolists manually), and anything that does not explicitly match pass it through so it will be converted by phoenix for you.
hi @NobbZ, really appreciate the answer. Still googling for more detailed material…
Is there any easy way how to do this? I’m creating a simple blog with WYSIWYG editor, just to see how I can be productive with phoenix as soon as possible