views:

293

answers:

2

I am using Maruku with my RoR3 app. But the problem is that when i use the h(text) method to escape the text from the database before i use Maruku it escapes > to > so Maruku wont see this as a blockquote.

But i still want to escape the rest of the text so my question is how can i make this work?

I don't want to disable the escaping but i don't want it to escape >

A: 

The following method takes html_encoded multiline strings and replaces all maruku blockquote elements that have been converted to html entity codes back to >

For the purpose of this implementation a maruku blockquote line is defined as a line beginning with one or more > sequences separated with optional whitespace.

def maruku_escape(text)
  text.gsub(/^([\s]*\>)+/) {|match| match.gsub(/\>/, '>')}
end

The following test string was used

test_text = "<b>A bold tag</b>
<span>Some text in a span</span>

Some Markdown
> Blockquote 1
  > > nested blockquote 1
  > > nested blockquote 2
  >> nested blockquote 3 with no spaces


Some plain text with an invalid blockquote > Some blockquote text
<i>The end in italics<i>"

And using this as follows maruku_text = maruku_escape(ERB::Util.html_escape(test_text))

Gave the following results

result =  "&lt;b&gt;A bold tag&lt;/b&gt;
&lt;span&gt;Some text in a span&lt;/span&gt;

Some Markdown
> Blockquote 1
  > > nested blockquote 1
  > > nested blockquote 2
  >> nested blockquote 3 with no spaces


Some plain text with an invalid blockquote &gt; Some blockquote text
&lt;i&gt;The end in italics&lt;i&gt;
"
Steve Weet
Someone with better regex-fu than me may be able to work out a regex that does not call gsub twice.
Steve Weet
Please also note that Rails 3 will automatically call html_escape for you.
Steve Weet
+2  A: 

Rails 3 escapes all strings by default. You need to mark them as safe by using "some_string.html_safe" or use <%= raw some_string %> in the template if you want to avoid this.

If you setup the sanitize helper to allow the HTML tags you want to pass through, you could do something like this:

<%= sanitize(@maruku_content.to_html) %>

Sanitize will scrub your content and mark the output as html_safe while leaving the desired tags intact. This option is discussed in the rails_xss plugin docs here. The example they use is for textile.

Awgy
I don't think sanitize will work though as maruku is markup but not html. In particular it uses > to indicate blockquotes
Steve Weet
Are you using Maruku to output HTML or for LaTex? If it's for HTML, then the example above does the trick because it's escaping the HTML output of Maruku, not the stored Markdown. Markdown -> Maruku's Internal Representation -> HTML -> sanitize
Awgy
Even if it was done the other way around, sanitize won't modify a bare >. Only if it's part of something naughty like <script> will sanitize muck around with > symbols.
AlexC