stop rails from erasing HTML tags

Question

I used the TinyMce header link to get formatting options in text input areas of my RoR 2.3.5 app.

This works fine for sending emails, but when I try to save text in the database, the HTML tags get erased and it is displayed as plain text.

For example,

<%= text_area (:inspection, :kashruth_comments, :class => 'tinymce') %>

How can I save the tags as well?

Based on this page I tried adding into config\initializers\new_rails_defaults.rb:

 ActionView::Base.sanitized_allowed_tags.replace %w(strong em b i hr br ul ol li blockquote)
ActionView::Base.sanitized_allowed_attributes.replace %w(href a)

but it did not help.

Answer 1

In the /vendor/plugins folder, there is a plugin called xss-terminate. In the README.rdoc file, I found

To exempt some fields from sanitization, use the :except option with a list of fields not to process:

class Comment < ActiveRecord::Base xss_terminate :except => [ :body ] end

To sanitize HTML with Rails's built-in sanitization, use the :sanitize option:

class Review < ActiveRecord::Base xss_terminate :sanitize => [ :body, :author_name] end

In models/inspection.rb, I added

  xss_terminate :except => [ :kashruth_comments ]
  xss_terminate :sanitize => [:kashruth_comments]

Now, when I entered 'going nuts' as bold and italic, it saves as such.

When I entered <script>going nuts</script>, it displays exactly as that, but in the database, it is stored as

| <strong>&lt;script&gt;going </strong><em><strong>nuts&lt;/script&gt;</strong></em> |

Does that look correct?