I am using the following code in my view:
<div class="col-12 col-md-8">
<% if current_user == @post.user || current_user.try(:admin?) %>
<%=best_in_place @post, :body, :as => :textarea, inner_class: 'form-control', ok_button: 'update', ok_button_class: 'btn btn-outline-success btn-sm'%>
<% else %>
<p class="postbody"><%= sanitize @post.body %></p>
<% end %>
<div class="py-3">
Input text:
Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua.
Expected: #code blocks doesn't accept html tags as it seems
Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua.
Behavior
Lorem <b> ipsum </b> dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua.
If I am logged out my post.body gets sanitized.
However, if I am logged in the text accepts html tags. (doesn't get sanitized I guess)
In the best_in_place documentation it says sanitize is set to true by default. I tried sanitize: true as well, still doesn't work.
Does anyone know why it behaves like this?
Best regards
It seems there is an undocumented option:
That will enable pure HTML to be rendered, without converting it to plain text before display. Someone else posted about the same problem on Github. See here:
https://github.com/bernat/best_in_place/issues/520