Html RubyonRails:允许小于符号'<';带有sanitize helper的内部代码块
我试图在Rails中转义用户生成的内容。我使用了带有消毒和raw助手的raw来过滤如下内容:Html RubyonRails:允许小于符号'<';带有sanitize helper的内部代码块,html,ruby-on-rails,escaping,sanitize,Html,Ruby On Rails,Escaping,Sanitize,我试图在Rails中转义用户生成的内容。我使用了带有消毒和raw助手的raw来过滤如下内容: raw(sanitize(code, :tags => ['<', 'h2','h3','p','br','ul','ol','li','code','pre','a'] )) mysql -u sat -p -h localhost database < data.sql code = "mysql -u sat -p -h localhost database <
raw(sanitize(code, :tags => ['<', 'h2','h3','p','br','ul','ol','li','code','pre','a'] ))
mysql -u sat -p -h localhost database < data.sql
code = "mysql -u sat -p -h localhost database < data.sql"
ALLOWED_SIGNS = {
:lower_than => "<".html_safe
}
s = code.dup
ALLOWED_SIGNS.each { |k, v| s.sub!(v, "%{#{k}}") }
sanitize(s) % ALLOWED_SIGNS
raw(sanitize(code,:tags=>[”Rails 3为每个字符串实例添加了html\u safe
属性。除非html\u safe
设置为true(简化),否则将转义打印或插入到数据库中的每个字符串.raw
所做的,实际上是将html\u safe
设置为true
。因此您应该只传递一个已经安全/转义的字符串
class MyModel < ActiveRecord::Base
ALLOWED_ELEMENTS = ['h2','h3','p','br','ul','ol','li','code','pre','a']
before_save :sanitize_code
private
def sanitize_code
self.code = Sanitize.fragment(code, elements: ALLOWED_ELEMENTS)
end
end
可能的解决方案如下所示:
raw(sanitize(code, :tags => ['<', 'h2','h3','p','br','ul','ol','li','code','pre','a'] ))
mysql -u sat -p -h localhost database < data.sql
code = "mysql -u sat -p -h localhost database < data.sql"
ALLOWED_SIGNS = {
:lower_than => "<".html_safe
}
s = code.dup
ALLOWED_SIGNS.each { |k, v| s.sub!(v, "%{#{k}}") }
sanitize(s) % ALLOWED_SIGNS
strip\u标签(code).html\u安全
根据您的用例,您可能必须添加额外的检查/字符串替换
根据您的评论,您可能需要一个更复杂的版本。您可以尝试替换所有希望允许的字符,清理字符串,然后反向替换,以避免清理方法清理的内容超出实际需要。请尝试以下操作:
raw(sanitize(code, :tags => ['<', 'h2','h3','p','br','ul','ol','li','code','pre','a'] ))
mysql -u sat -p -h localhost database < data.sql
code = "mysql -u sat -p -h localhost database < data.sql"
ALLOWED_SIGNS = {
:lower_than => "<".html_safe
}
s = code.dup
ALLOWED_SIGNS.each { |k, v| s.sub!(v, "%{#{k}}") }
sanitize(s) % ALLOWED_SIGNS
code=“mysql-u sat-p-h localhost数据库class MyModel < ActiveRecord::Base
ALLOWED_ELEMENTS = ['h2','h3','p','br','ul','ol','li','code','pre','a']
before_save :sanitize_code
private
def sanitize_code
self.code = Sanitize.fragment(code, elements: ALLOWED_ELEMENTS)
end
end
允许的符号={
class MyModel < ActiveRecord::Base
ALLOWED_ELEMENTS = ['h2','h3','p','br','ul','ol','li','code','pre','a']
before_save :sanitize_code
private
def sanitize_code
self.code = Sanitize.fragment(code, elements: ALLOWED_ELEMENTS)
end
end
:lower_than=>“这可能会有所帮助,sanitizer提供了一些选项,以提供在清理过程中需要忽略的标记和属性的白名单
ActionView::Base.full_sanitizer.sanitize(html_string) #Basic Syntax
class MyModel < ActiveRecord::Base
ALLOWED_ELEMENTS = ['h2','h3','p','br','ul','ol','li','code','pre','a']
before_save :sanitize_code
private
def sanitize_code
self.code = Sanitize.fragment(code, elements: ALLOWED_ELEMENTS)
end
end
标签和属性的白名单可以指定为以下内容
ActionView::Base.full_sanitizer.sanitize(html_string, :tags => %w(img br p), :attributes => %w(src style))
上面的语句允许标记:img、br和p以及属性:src和style。我认为在Rails中使用默认的清理方法是不可能的 相反,请尝试使用Sanitize gem() 输出内容时,只需使用原始视图辅助对象,例如
整个问题似乎与数据库中存储数据的方式有关。以前,小于号的“gem解决了这个问题: 宝石“nokogiri”
Nokogiri::HTML::DocumentFragment.parse('hi x>5').text
=>“高x>5”
class MyModel < ActiveRecord::Base
ALLOWED_ELEMENTS = ['h2','h3','p','br','ul','ol','li','code','pre','a']
before_save :sanitize_code
private
def sanitize_code
self.code = Sanitize.fragment(code, elements: ALLOWED_ELEMENTS)
end
end
考虑替换“我无法在控制台中重现您的问题。也许您应该显示传递给清理的确切内容”
。此外,“mysql-u sat-p-h localhost databasesanitize
方法的示例代码。因此,您可以添加允许的标记
的方式与您的问题中的方式相同。在我的一个应用程序中,您将如何允许小于“这就是我如何允许img、br、p元素和src、style属性的方式。正如“如果您注意我的问题描述,这正是我允许标记的方式。如果我可以”尝试一些解决方法“我不会在这里问这个问题。”伊斯兰堡·瓦泽里说
class MyModel < ActiveRecord::Base
ALLOWED_ELEMENTS = ['h2','h3','p','br','ul','ol','li','code','pre','a']
before_save :sanitize_code
private
def sanitize_code
self.code = Sanitize.fragment(code, elements: ALLOWED_ELEMENTS)
end
end