Safe way of presenting WYSIWYG Output in View

I have a LiveView where I allow users to write some rich text using the WYSIWYG Editor Trix and I store that text in my database. I want to present the user provided text in another View (think of a course description that a user writes and I show in the course’s product page for example).

I watched @ElixirCasts’s video about integrating Trix into LiveView and they use the raw/1 function to display the output in the template. But is that safe from HTML injections?

My understanding is that Trix does some sanitisation of the user input, but the user could always send malicious HTML directly to my LiveView, so I need some way to sanitise it myself in the Backend. Is there a way to sanitise the HTML but still render it as HTML so that the styling of e.g. links, lists, etc. works?


Perfect, that worked! Thanks @LostKobrakai :heart:

1 Like