Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update instructions for rich text custom rendering [ci-skip] #44421

Merged
merged 1 commit into from
Feb 14, 2022
Merged

Update instructions for rich text custom rendering [ci-skip] #44421

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
29 changes: 13 additions & 16 deletions guides/source/action_text_overview.md
View file
Open in desktop
Expand Up @@ -113,16 +113,8 @@ end

## Rendering Rich Text content

Action Text will sanitize and render rich content on your behalf.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jonathanhefner @p8 with the removal of this line, the Action Text Overview only mentions "sanitization" in one place:

rails/guides/source/action_text_overview.md

Lines 95 to 99 in 00dfa10

And finally, display the sanitized rich text on a page:
```erb
<%= @message.content %>
```

Surprisingly, neither ActionText::RichText nor ActionText::Content mention anything about sanitizing content in their RDoc comments.

Securing Rails Applications doesn't mention Action Text at all, nor does it mention that it's is serialized by rails-html-sanitizer.

Was the removal of this line intentional, or accidental? Where would be the most appropriate place to improve the Action Text documentation with regard to its security implications?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've opened #49696 to try and expand upon sanitization support.


By default, the Action Text editor and content are styled by the Trix defaults.

If you want to change these defaults, remove the `// require "actiontext.scss"`
line from your `application.scss` to omit the [contents of that
file](https://raw.githubusercontent.com/basecamp/trix/master/dist/trix.css).

By default, Action Text will render rich text content into an element that
declares the `.trix-content` class:
By default, Action Text will render rich text content inside an element with the
`.trix-content` class:

```html+erb
<%# app/views/layouts/action_text/contents/_content.html.erb %>
Expand All @@ -131,13 +123,18 @@ declares the `.trix-content` class:
</div>
```

If you'd like to change the rich text's surrounding HTML with your own layout,
declare your own `app/views/layouts/action_text/contents/_content.html.erb`
template and call `yield` in place of the content.
Elements with this class, as well as the Action Text editor, are styled by the
[`trix` stylesheet](https://raw.githubusercontent.com/basecamp/trix/master/dist/trix.css).
To provide your own styles instead, remove the `= require trix` line from the
`app/assets/stylesheets/actiontext.css` stylesheet created by the installer.

To customize the HTML rendered around rich text content, edit the
`app/views/layouts/action_text/contents/_content.html.erb` layout created by the
installer.

You can also style the HTML used for embedded images and other attachments
(known as blobs). On installation, Action Text will copy over a partial to
`app/views/active_storage/blobs/_blob.html.erb`, which you can specialize.
To customize the HTML rendered for embedded images and other attachments (known
as blobs), edit the `app/views/active_storage/blobs/_blob.html.erb` template
created by the installer.

### Rendering attachments

Expand Down